Tuesday, April 24, 2012

Flashback RoundUp: Conflicting Infection Reports, More Zombie Macs, & New Variant Spotted

Red ApplePhew!

A lot has been going on with the whole Flashback (or “Flashfake”) malware fiasco, so I’ll do my best to sum everything up…

Conflicting Reports on # of Macs Infected with Flashback Malware

For a short period of time, it appeared that things were improving as Symantec had reported that the number of Macs infected with Flashback malware had dropped from 600,000+ to 140,000.

Kaspersky Lab also reported a decrease in the number of infections, stating that only 30,000 Macs were still under the influence of Flashback (aka Flashfake) malware.

However, these numbers didn’t match up with the latest report from Dr. Web, which still reflected an army of zombie Macs that was still over 500,000 machines strong.

Confused? Good, so was the rest of the world, which lead some to question on whether or not  security firms were attempting to scare users into purchasing antivirus software.

So, what’s with the discrepancy?

Apparently, sinkholes setup by Symantec (and other companies) were receiving limited infection counts for Flashback.

Dr. Web reported that a server registered at IP address (and controlled by an unidentified third-party) would communicate with the infected Macs, but never close the TCP connection. This was causing bots to switch to ‘standby’ mode as they wanted for a reply from the server, preventing them from communicating with other command and control servers (or sinkholes setup by various security companies tracking the malware).

That changed the number of infected machines observed by researchers, which ultimately lead to contradicting reports.

Researchers at Intego agreed with Dr. Web’s claims and went on to say that there are likely infected Macs that are not being accounted for and that there was a possibility that more Macs are being infected on a daily basis.

Fueling the fire of uncertainty, Intego also reported that some of the specific domains that Flashback malware attempts to contact resolve to (or localhost), keeping the Mac from reaching the command & control servers and knocking the stats even further off-track.

There’s a New Flashback Variant Out There…

As if that weren’t aggravating enough, Intego also reported yesterday that they’d spotted a new variant of Flashback (Flashback.S) that continues to exploit Java vulnerability CVE-2012-0507, which was patched by Apple around two weeks ago.

Intego warns this latest Flashback variant is actively being distributed in the wild (likely via drive-by-downloads) and does not require a password to be installed.

During installation, Flashback.S will place its files in the user’s home folder, at the following locations:

  • ~/Library/LaunchAgents/com.java.update.plist

  • ~/.jupdate

Once the installation is complete, Flashback deletes all of the files and folders in  ~/Library/Caches/Java/cache to remove the applet from the infected Mac and avoid detection or sample recovery.

Protect Yourself from Flashback Malware

If you haven’t done so already, I strongly recommend that you:

  • Apply all of the security updates issued by Apple to remove common variants of Flashback, patch the Java vulnerabilities exploited by the Flashback malware, and disable Java browser plug-ins if they go unused for an extended period of time (Lion only).

  • Consider disabling Java on your machine or toggle Java browser plug-ins as needed.

  • Install antivirus software on your Mac. Sophos offers a free Mac antivirus solution, so you really don’t have an excuse for not doing it.

  • Keep all software up-to-date and be careful of what files you download or websites you visit. Remember, you don’t have to visit a “shady” site to be infected by malware. Cybercriminals often use compromised sites to deliver malware via drive-by-downloads, including Flashback.

What measures are you taking to protect your Mac?

Support tips from Hyphenet

Hello all, My name is Matthew and I provide computer, server, and network support for our customers here at Hyphenet.  I plan on posting some small support tips or work experiences here from time to time.  See you soon!

Myspace Spam Links to Pharmacy Websites

Myspace IconDid that Myspace email notifying you that you’ve received a new private message take you a pharmaceutical website?

That’s because the message wasn’t really sent from Myspace.

Yes, spammers have begun to fire out bogus Myspace emails to generate traffic for whatever illegal drug site they’re backing, in addition to the YouTube, Foursquare, Tagged, LinkedIn & Twitter spam we've seen in the past.

Since the spam messages have been carefully crafted to play the part of a legitimate Myspace email notice, it’s up to recipients to make sure they mouseover links to check the destination URL before clicking. The last thing we want to do is give spammers what they want, which is exposure for their drug-peddling websites.

Here’s one of the fake Myspace notification emails we recently got:

Myspace Spam Message

Subject: Olwen Douglas has sent you a new private message
From: Myspace (noreply@message.myspace.com)

Olwen Douglas has sent you a new private message.
View message

Don't miss out on what everyone is into

+ Friend

+ Friend

Travis Barker
+ Friend

+ Friend

Justin Bieber
+ Friend

Diggy Simmons
+ Friend

To turn off notifications, update your account settings.

If you receive an email purporting to be from Myspace, make sure that you hover your mouse over the links and check the URL displayed in the address bar to make sure they actually point towards the social networking site.

None of the links within the Myspace spam messages link to the actual Myspace domain, so if you check the links and they point to some random web address, it's likely spam.

As far as reporting these messages to Myspace, you can visit myspace.com and click 'Report Abuse' in the footer. It is important to note that it's not difficult to spoof email headers, so it's highly doubtful that the spam messages originated from Myspace. However, it still doesn't hurt to let them know since the company is not opposed to going after spammers.

Have you received any fake Myspace emails? Did you report them to Myspace or did you delete them?

Monday, April 23, 2012

Buy a Qualifying ViewSonic Projector & Get a FREE 80" Elite Screen or Screen & Mount

Free 80-inch Elite ScreenNeed a new projector for your company conference room, school classroom or perhaps your personal home theater?

For a limited time, when you purchase a qualifying ViewSonic Projector you can get an 80-inch Elite Screen or screen and mount for FREE with a mail-in rebate.

All you have to do is purchase the qualifying ViewSonic Projector of your choice between April 1st - June 30th, 2012 and complete the rebate form available online (you will need to upload your legible proof of purchase sales receipt during the rebate form submission process or send it via email or fax). Keep in mind that shipping & handling charges do apply.

There are plenty of qualifying ViewSonic Projector models to choose from, so please contact Hyphenet for prices and model specifications by calling (619) 325-0990 or sending an email to sales@hyphenet.com.

Qualifying ViewSonic Projector Models

720p (WXGA)PJD5523w,

Screen & Mount Shipping Rates

Contiguous 48 States
$48 U.S. shipping and handling for screen only.
$76 U.S. shipping and handling for screen & mount.

Alaska and Hawaii
$70 U.S. shipping and handling for screen only.
$120 U.S. shipping and handling for screen & mount.

Promotion Details

Submission requirements – Submit the rebate form in its entirety along with a legible copy of proof of purchase sales receipt by e-mail or fax (you can also attach receipt during the form fill out submission process). The qualifying item(s) must be purchased between April 1, to June 30, 2012. Offer good on purchase(s) from all resellers. Claim form(s) postmarked more than 30 days after the purchase date are ineligible.

By submitting the claim form, you certify that the above items are for personal use only and not for resale. Allow 2 – 4 weeks from the submission date for processing of your rebate or other promotional offers. This offer is valid for the customer named on the sales receipt only.

Elite Screens Inc. and its associated companies are not responsible for lost or misdirected shipments of the free screen package promotion. This offer is void if not fully redeemed within three (3) months of the close of the redemption period. Offer void where prohibited or restricted by law. Fraudulent submission of multiple requests may result in prosecution under applicable law.

Elite Screens Inc. and its associated companies reserve the right to request additional information and to audit any claims regarding this promotion which may result in nullification of any claims that cannot be substantiated. Products received through this rebate or promotional offer cannot be returned. Limit one (1) rebate or other promotional offer per qualifying item purchased.

Terms and conditions are subject to change without notice.

This offer is valid until June 30th, 2012.

Call (619) 325-0990 to order your qualifying ViewSonic Projector today & get your free 80" Elite Screen or screen with mount!

* Shipping and taxes apply.

Friday, April 20, 2012

Updated: Phony Foursquare Emails Link to Pharmacy Websites

FoursquareIn the past we’ve seen spammers imitate emails from YouTube, Twitter, LinkedIn and Tagged in order to direct users to pharmacy websites, so it’s not all that surprising to find out that they’ve added Foursquare to the mix.

The email we received this morning - which has a spoofed date to keep it at the top of the inbox for most of the day - posed as a notice from the popular location-based social networking site that someone had just approved me as a friend.

Now, I knew the email was fake the moment I received it since I personally don’t use Foursquare, but I could see how an actual user could be lead to believe that it’s real.

Foursquare Spam
From: foursquare (noreply@foursquare.com)

Subject: Jacqueline Turner is now your friend

Received: Friday, April 20, 2012 4:46 PM


Hey there - Just a heads up that Jacqueline Turner has approved your friend request on foursquare.View their profile: https://foursquare.com/user/46711115

Have fun!
- Your friends @ foursquare

foursquare labs, Inc. 568 Broadway, New York, NY 10012

Please remember you can always go to your User Settings page to adjust your account and contact info, privacy controls, email preferences and options linking to Twitter and Facebook.

So what happens if you click on any link within the Foursquare spam message?

In this particular case, you would’ve been redirected to a pharmaceutical website, but I would not put it past spammers to switch it up and start sending users to sites that actually serve malware.

With all of this in mind, if you receive any emails purporting to be from Foursquare, make sure you take a moment to check the true destination URL for any embedded links before clicking on them. All you have to do is mouseover the link and observe the URL that pops up (usually in your browser status bar).

Update: Apparently a lot of people have been receiving Foursquare spam and have contacted the company via Twitter to report it.

Foursquare is aware of the spam campaigns hitting folks' email inboxes and have confirmed that the emails are not coming from them.

Foursquare Confirms Phishing Emails Not from Them

Foursquare Reponds to User's Tweets about Spam

Have you received any Foursquare spam?

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+

Thursday, April 19, 2012

Domain Name Scams Still Going 'Round..

.comWant to know how scammers trick you into paying for overpriced domain names that you don’t need?

First off, they harvest email addresses from WHOIS records or scrape them directly from the website associated with the targeted domain names in question.

Then they’ll fire off a bogus email claiming that another company has applied for your domain names in Asia with various country-code specific top-level domain names (“.asia”, “.cn”, “.hk”, “.in”, etc.).

To create a sense of urgency that will hopefully prevent you from looking before you leap on the offer, you’re given a seven-day window to reply and stake your claim over the domains before they’re handed over to whatever fictitious company named in the spam message.

Here’s a copy of the spam message that we recently got:

Domain Dispute Scam

From: Avery (avery@tsnet-china.com)
Subject: Regarding “hyphenet” Dispute

(If you are not in charge of this please transfer this email to your President or appropriate person, thanks)

Dear President,

We are the department of Asian Domain registration service in china, have something to confirm with you. We formally received an application on April 10, 2012. One company which self-styled "Cokent Investment, Inc" were applying to register "hyphenet" as Network Brand and following domain names:


After our initial checking, we found the name were similar to your company's, so we need to check with you whether your company has authorized that company to register these names. If you authorized this, we will finish the registration at once. If you did not authorize, please let us know within 7 workdays, so that we will handle this issue better. Out of the time limit we will unconditionally finish the registration for "Cokent Investment, Inc".

Best Regards,

Avery Yang

Registration Dept.

Tel: +862885915586  ||  Fax: +862885912116 Address:8/F XiYu building No,52 JinDun Road,QingYang District,Chengdu City,China.

P Please consider the environment before you print this e-mail.

Despite what this spam message claims, it’s unlikely that anyone actually applied for the domains in question. You're merely being fed the same sales pitch that has been used in this scam for years. (Google "chinese domain name scam" to see what I mean.)

In the event that you’re actually interested in snatching up the domains to protect your brand, it’s recommended that you locate a reputable registrar to purchase the domains. Don’t feed the spammers by replying to their emails or registering domains through them.

If you receive this message, or one similar to it because the verbiage and list of domains may vary, then it’s best that you delete it immediately.

Have you ever received an email like the one shown above? Feel free to share your experience!

Photo Credit: chrisdlugosz

Researchers say 140,000 Macs still infected with Flashback malware

Despite all of the media coverage, free "detect & destroy" tools offered by multiple antivirus vendors and Apple releasing system updates to both remove the malware and patch the Java vulnerability that helped it infect over half-a-million Macs, Symantec says that there are still over 140,000 OS X machines infected by Flashback.

“The statistics from our sinkhole are showing declining numbers on a daily basis,” Symantec researchers wrote in a Thursday blog post, “However, we had originally believed that we would have seen a greater decline in infections at this point in time, but this has proven not to be the case.”

Flashback Botnet Size

Symantec researchers stated that the domain name for the botnet’s command & control server changes on a daily basis, and that it’s not limited to using “.com” as the top-level domain: .in, .info, .kz and .net top-level domains are used as well.

Flashback has not gone without upgrades either. Symantec researchers pointed out that Flashback is capable of using Twitter to retrieve updated C&C locations by searching for specific hashtags generated by Flashback.K’s hashtag algorithm. How’s that for being resourceful?

Mac users that have not bothered updating their system with the latest Java updates from Apple should do so immediately.

As we’ve previously mentioned, Flashback isn’t the only piece of malware looking to exploit Java vulnerabilities in order to infect Macs. The Sabpab Trojan also exploits the SE Remote Java Runtime Environment Denial of Service Vulnerability (CVE-2012-0507) in order to infect OS X machines.

Update 4/23 -  There have been conflicting reports of how many Macs remain infected by the Flashback Trojan. Researchers over at Intego have discovered that DNS redirection may be playing a role in the conflicting reports. Check out what they have to say.

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+.

Wednesday, April 18, 2012

Watch Out for Android Malware Posing as Popular Instagram App

InstagramThinking about finally jumping on the bandwagon by trying out the Instagram app on Android?

Be sure that you download it from the Google Play store and not some random website.

Security experts at Sophos discovered that cybercriminals are attempting to capitalize on the fact that Instagram recently became available to Android users AND buzz stemming from the company being acquired by Facebook by pushing malware posing as the Instagram app.

The fake Instagram app is (thankfully) not available within the legitimate Google Play store, so you should be safe if you’ve downloaded app from there. The miscreants behind it decided to create websites dedicated to the cause of offering the disguised malware, which Sophos detects as Andr/Boxer-F.

And no, Andr/Boxer-F doesn’t do a very good job of pretending to be Instagram, but that may be because the goal of the app is to generate revenue for its authors by firing off expensive international text messages, not make it easy for you to snap photos, play with filters and share them with friends.

Unidenfitied Man Pictures Used in Instagram MalwareOne strange thing to note – the .APK file for the fake Instagram app contains multiple copies of a photo of an unidentified man (pictured right), which Sophos speculates is used to change the fingerprint of the file in order to evade detection by rudimentary antivirus scanners.

There's no telling who this man really is or why his photo was used, but personally, he reminds me of Will Ferrell with a funky haircut.

If you plan on downloading Instagram – or pretty much any other app for that matter – be sure that you download it from the official Android marketplace.  And make sure you always check the # of downloads, reviews, etc. to help weed out any other malicious applications.

Have you tried out Instagram yet? Who do you think the man in the photo looks like?

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+.

Tuesday, April 17, 2012

Spam Questions President's Sexual Orientation to Spread Keylogger

Koala poses in the "incriminating Obama photo"What would you do if you received an email claiming that the President was a homosexual – and offered a photo as “proof”?

Would you:

A) Delete the email without attempting to view the image.
B) Find yourself trying to check out said incriminating photo.

Kudos if you picked A.

However, if you chose B… well, there’s a pretty good chance you just invited a keylogger to take up residency on your system.

At least, that’s what happened when security researchers over at Barracuda Labs intercepted a spam message that claimed the U.S. President was gay and welcomed recipients to click a malicious link to "see for themselves."

Obama is Gay SpamScreenshot Credit: Barracuda Labs

From: Thomas PIVATO

My friends said Obama was a Gay. I never believed it till I saw this picture of him  You may like to see it for your self, just click on the bellow link.


Thomas Pivato, Fire officer (Mr.)
Fire and Safety Platoon
Security and Safety Service
Division of Management
United Nations Office at Vienna

Tel: (+43-1) 26060-3903
Fax: (+43-1) 26060-5834
Website: www.unov.org

Unfortunately, anyone that was gullible enough to fall for the lies would be presented distracted with an adorable Koala photo (see the cute, fluffy guy shown above) as a commercially available keylogger identified as ‘Perfect Keylogger’ is silently installed on their machine in the background.

From there, Perfect Keylogger will keep a close eye on the user’s every move – taking note of what programs that are launched, logging every key pressed and taking screenshots to make sure that absolutely nothing is missed. All of the collected data will be uploaded to a remote server via FTP.

So who would actually fall for this type of trickery?

Obama Spam Keylogger Uploaded Files to Remote Server“Only a few days after the spam was first seen there are a large number of folders on the keylogger website, each representing a person who clicked on the initial link and ran the downloaded program.” Barracuda Labs Security Researchers Dave Michmerhuizen & Luis Chapetti wrote in their Monday blog post, “It appears that outrageous headlines spurs curiosity which is effective in getting people to click on links and install malware.”

That being said, if you receive an unsolicited email boasting some juicy gossip, it’s probably best that you avoid clicking on any embedded links or downloading any attached files. Spammers will say almost anything to drive users to malicious sites or hand over sensitive information.

Don't let curiosity get the best of you or your PC!

(On a side note, it couldn't hurt to refine your dangerous image link detection skills.)

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+.

Monday, April 16, 2012

Buy of the Week: 24-inch ViewSonic LCD monitor for $187!

This offer expired on 4/20/12. Please check the banner ad at the top of the page for the latest deal.

ViewSonic 24" MonitorViewSonic's VA2431wm is an ENERGY STAR 5.0 certified, environment friendly 24" (23.6" viewable) widescreen monitor with integrated speakers.

With 1920 x 1080 Full HD resolution, 100,000:1 dynamic contrast ratio, DVI and VGA inputs and VESA mountable glossy finish design, the VA2431wm is ideal for both homes and offices. It also has an automatic aspect ratio adjustment so when your input is a 4:3 signal, the image will not be distorted and perfeclty positioned in the middle of the screen with side bars.

For a limited time, you can order a brand new 24-inch ViewSonic LCD monitor for only $187, plus shipping and taxes! Call (619) 325-0990 to buy yours today!

ViewSonic 24-inch LCD Monitor Specs

Diagonal Size24 inches (23.6" viewable)
Display TypeLCD TFT active matrix
Native Resolution1920 x 1080 Full HD
Brightness300 cd/m2
Image Contrast Ratio1000:1 / 100000:1 (dynamic)
Response Time5 ms
Pixel Pitch0.2715 mm
Screen CoatingAnti-glare, hard coating
InterfacesDVI-D, VGA
Warranty3-year Limited Warranty

Don’t miss out on this Buy of the Week! Call (619) 325-0990 to order your 24-inch ViewSonic LCD monitor today!

Buy of the Week offer valid through April 20th, 2012.

* Shipping and taxes apply.

This offer expired on 4/20/12. Please check the banner ad at the top of the page for the latest deal.

Fire Safety Guidance Spam Totes Malicious File Attachment

Fire SafetyIt seems that spammers are hoping to teach a lesson in fire safety while hoping you forget everything you know about email safety.

A malicious spam message, titled “FW: Scheduled Event Notification” serves as an alleged notice that whatever organization you’re working for is hoping to prepare for an upcoming fire safety test that 3/10 of employees fail.

To make sure you’re not a part of this month’s failing 30%, you’re advised to download the attached file, “Fire Safety Guidance.pdf.zip” before tomorrow (4/17/12):

Fire Safety Guidance Spam
Subject: FW: Scheduled Even Notification
From: Jessalyn Escuriex – Department of Human Resources (jessalynescuriexzmgh[at]mail.com)

Dear Associates

It might be useful for you to know that we are participating in a joint event with Fire and Counter Terrorism Safety including 4 written tests on Friday.

Last month three in ten employees surveyed could not pass the Fire Safety test.

Each of you will find enclosed a Fire Safety Guidance and your role description. Please take a look at the enclosed materials before 17th of April.

Kind regards,
Jessalyn Escuriex
Department of Human Resources

Fire Safety Guidance Spam Attached File Antivirus Scan ResultsHowever, it is important that you do NOT download the attached file as it contains malware that Sophos identifies as Mal/BredoZp-B.

One thing I found particularly alarming about this malware is that according to VirusTotal scan results, only 10/41 antivirus programs were able to detect the infection. Surprisingly, popular antivirus software by highly-reputable companies like F-Secure, TrendMicro, Microsoft, McAfee, Avast & F-Secure were not among the 10 applications that sniffed the malware out.

Remember, it is never a good idea to download files from unsolicited emails – even if they appear genuine. Antivirus software is only one of many layers of protection and is never 100%. It is important that you exercise caution and always remain vigilant when sifting through your inbox to minimize your chances of downloading a malicious file attachment.

If you receive this email, feel free to delete it without downloading any files attached.

In the future, if you receive a suspicious email with a file attachment that you simply cannot resist downloading, I recommend that you at least scan the file before downloading it.

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+.


Saturday, April 14, 2012

Scareware Spooks File Sharers into Giving Credit Card Info with SOPA Threats

SFX Fake AV Claims Illegal Utorrent Files were DetectedSFX Fake AV is an interesting piece of scareware roaming around, attempting to swindle gullible users into forking over dough by claiming they’ve been busted for violating copyright laws and threatening that they may be sued for violating SOPA legislation despite the bill being shelved earlier this year.

According to The Register, SFX Fake AV displays a dialog to the end-user stating that it found illegal torrent links on their PC and, interestingly enough, offers to help solve the problem by activating an “anonymous data transfer protocol” for the torrent links.

SFX Fake AV Illegal Torrent Detection AlertImage Credit: The Register

That comes after SFX Fake AV disables any legitimate antivirus software installed on the machine, stops Process Explorer (procexp.exe) and keeps any browsers from loading to force the user into supplying payment information.

In addition to holding the compromised system hostage and offering an alleged way to evade authorities while downloading illegal torrents, SFX Fake AV also performs a bogus system scan that identifies the Windows Registry Editor (regedit.exe) as a “porn tool.”

Bruce Harrison, VP Research at Malwarebytes, whose free scanner first detected SFX Fake AV, told The Register, “SFX Fake AV is morphing at a relatively fast rate, so it is something that signature-based vendors will have to watch out for as there will be an increasing number of variants in the wild. Also, the use of Dropbox as a delivery mechanism is a something that the industry is going to have to take into account and protect against, as it is an emerging trend.”

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+.

Friday, April 13, 2012

New Mac Trojan Exploiting Same [Patched] Java Vulnerability as Flashback

Apple WarningThis is a perfect example as to why it’s important that you keep your system patched and up-to-date regardless of what operating system you use.

Symantec has warned that a new Trojan horse, OSX.Sabpab is hoping to follow the digital footsteps of the Flashback malware by exploiting one of the (patched) Java vulnerabilities (CVE-2012-0507) Flashback used to infect over 600,000 Mac computers.

According to Symantec’s security bulletin, once Sabpab Trojan makes its way onto your system, it will create system files to ensure it loads on system start-up and open a backdoor to grant an attacker remote control over the machine to create new processes, download arbitrary files, take desktop screenshots and upload files to a remote server.

To avoid being hit by this latest threat, Mac users should make sure they’ve installed all of the necessary Apple updates to close the targeted Java security hole.

Considering Java vulnerabilities are often exploited to plant malware on vulnerable machines, users should consider toggling Java browser plug-ins as necessary to protect against drive-by-download attacks or disabling/uninstalling Java completely if it’s not needed to eliminate the threat altogether.

Additionally, it may be beneficial for Mac users to install antivirus software to add an extra layer of protection against malware threats. Sophos offers Mac antivirus for free, so why not give it a shot? Other companies like Intego, ESET and Kaspersky also offer Mac antivirus software, so if you prefer a specific vendor, I recommend checking them out.

Stay safe, Mac users!

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+.

Apple Releases its Flashback Removal Tool to Mac Users

Apple Java UpdateMake sure you take a moment to update your computer today, Mac users.

Apple has kept its word and released another Java update, this time to remove the most common variants of the Flashback malware.

Aside from that, Apple’s advisory on the Java update for Lion states that it will "configure the Java web plug-in to disable the automatic execution of Java applets" to help thwart future malware attacks. Lion users will be able to re-enable the feature, however if the Java web plug-in goes unused for an extended period of time it will automatically be disabled again.

Meanwhile, the details for the Java update for Snow Leopard (OS X 10.6) recommends that the Java plug-in be disabled manually.

It is recommended that all Mac users who have Java installed on their machines apply the “Java for OS X Lion 2012-003” update.

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+.

Thursday, April 12, 2012

What’s the Latest on the Flashback Malware Outbreak?

Warning Apple LogoIt’s likely that you’ve heard about how the Flashback malware shattered the façade of superior security in Apple products by infecting upwards of 600,000 Mac systems, majority of which reside in the United States.

Since then, security researchers have been monitoring the size of the Flashback botnet, antivirus vendors have released free tools to help Apple users detect and remove the Flashback malware from their computers and naturally the banter between pro-Windows and pro-Mac users has increased.

However, amidst the scrambling of Mac users to determine whether or not their system had been infected and taking the proper steps to makes sure their malware-free Apple products remained just that, there is a bit of good – and interesting – news.

Researchers Report the Flashback Botnet Size Has Decreased

Dr. Web first reported that the Flashback botnet was 550,000 Macs strong on April 4th and Kaspersky Lab confirmed that the botnet had grown to a whopping 650,000+ Macs two days later.

But then... the weekend came and the Flashback botnet lost it's mojo.

Kaspersky Lab reported that the number of infected Macs was cut in half, dropping down to 237,000.  Researchers believe that the “sinkholing” operations carried out by numerous security firms contributed to the decline of the botnet’s size by interrupting the communications between the zombie Macs and the malware’s command & control servers. Good job!

Security Vendors say Mac Antivirus Sales Have Increased

Aside from the botnet shrinking, it appears that Mac users took a big interest in antivirus software.

Peter James, a spokesperson for Intego, a French security company that specializes in Mac antivirus software, told Computer World that the company witnessed a substantial increase in both sales and downloads of their Mac antivirus software since the Flashback malware made headlines.

Graham Cluley of Sophos Security also stated that they’d seen an increase in Mac antivirus software downloads. Sophos offers a free antivirus solution, Sophos Anti-Virus for Mac Home Edition to help Apple users protect their systems.

Not too much of a surprise considering the circumstances, but interesting nonetheless considering Macs have always been marketed as malware free products that don't require the installation of an antivirus (/anti-malware) scanner.

Apple is Preparing a Removal Tool

One of the most surprising things about the Flashback outbreak – aside from the number of compromised computers – is the fact that Apple actually spoke out about a security issue before releasing a patch for it.

In the past, Apple has kept a tight-lip on any system vulnerabilities until it’s been investigated and a patch is readily available. Apple claims to do this to help ensure the protection of their users and associated systems, but as the Flashback Trojan has shown, not informing users of potential threats can do more harm than good.

Either way, Apple is currently developing an update that will detect and remove the Flashback Trojan from infected systems. Although the solution will come long after security companies have released their own free tools, it will still be useful since there’s likely to be users out there that haven’t been following the news and probably have no idea that their systems have been hit.

Update 4/13/12: Apple Releases its Flashback Removal Tool to Mac Users

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+.

Our Recent Switch to Office365: How it Went & First Impressions

Microsoft Office365We recently switched to Microsoft Office365!

Prior to the transition, we were running our own Exchange Server in-house and while that’s fine & dandy, we decided it was time to move everything into the cloud.

Not to mention, we were among the millions of San Diegans affected by the massive power outage back in September 2011. As you can imagine, it’s fairly hard to work without power at a technology company, so... to the cloud we go!

Migrating from Microsoft Exchange to Office365

Thankfully, Microsoft made it extremely easy to transition from an Exchange Server to Office365.

Transferring users, groups and mailboxes was painless and mail continued to be sent/received through the Exchange Server while the migration process was underway, minimizing the impact that the transfer had on the business workflow.

Once the migration was done, all of the mailboxes were synchronized one last time to make sure nothing was skipped. MX Records were then updated right before the migration is finished and voilà! The data migration was done.

Now, since we opted for the plan with all of the fixings (E3, cloud-based email, shared calendars, Lync, Office Web Apps, SharePoint & Office Professional Plus), we had to install the complete suite of Microsoft Office 2010, Lync 2010, and setup our desktop for Office365. Again, a piece of cake since all of the necessary files were available for download upon our first login to the Microsoft Online portal.

And of course since we’re all constantly glued to our smartphones after we leave the office for the day, we each updated our Android devices to sync our mail, contacts & calendars from Office365.

Our First Impressions of Microsoft Office365

So, how do we feel after the switch?

Obviously, we were all a fan of the ease of the migration.

Cloud-based email has made it very easy for us to check our email from virtually any computer that has a browser and internet access. We can easily share calendars and synchronize our schedules, which can be a big help when sales calls come into play.

Personally, I’ve become a fan of SharePoint since it allows me to save documents created in Office straight to the cloud. From there, Word, Excel, PowerPoint & OneNote documents can easily be edited online, which is helpful when you’re not using a work computer with Office installed (*cough*my personal Mac*cough*).

Not to mention, the Team Site allows me to store our marketing content in one central location that each of us can access from anywhere at anytime.

It's also comforting to know that everything is backed by enterprise-grade reliability, disaster recovery capabilities, multiple data centers, continuous monitoring and a very strict privacy policy. All with a guaranteed 99.9% up-time, money-back guarantee!

Want to Try Microsoft Office365 In Your Business?

For those of you who didn’t know, Office365 offers flexible, pay-as-you-go pricing plans that help you get all of the functionality you need in your business. If you’re interested in a 30-day trial (no credit card required), you can sign up for one of the following plans:

  • Small business plan (P1), which includes:

    • Cloud-based email

    • Shared calendars

    • Instant messaging, PC-to-PC calling, and video conferencing

    • Web-based viewing and editing of Word, Excel, PowerPoint, and OneNote files

    • Team intranet site for sharing files and content

    • External website

    • Antivirus and anti-spam filtering

    • Microsoft community support

  • Midsize business & enterprises (E3), which includes everything in the P1 plan, PLUS:

    • Live 24x7 IT customer phone support

    • Office Professional Plus 2010 desktop version subscription (for up to 5 devices per user)

    • Active Directory synchronization

    • Configurable anti-spam filtering

    • Unlimited email storage and archiving

    • Hosted voicemail support

    • Team intranet site with 300 sub-sites for sharing files and content

    • Customize this plan by purchasing additional services like Kiosk plans and additional storage

    • Supports on-premise, online, and hybrid deployment options

I’ll be posting more about Microsoft Office365 in the coming weeks, so keep an eye out if you’ve been thinking about making the switch in your business.

Feel free to shoot over any questions you may have as well.

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+.

Wednesday, April 11, 2012

What Information Can an Android App with No Permissions Access?

Confused AndroidIt’s always a good idea to check the requested permissions when installing an application on your Android phone.

By doing so, you could potentially spot a malicious application before allowing it to sink its teeth into your smartphone and all of the juicy information stored on it.

Aside from smartphone malware, strange permission requests can also hint at the possibility of an app having the potential to stick its nose where it doesn’t belong. An example of that would be when Facebook was accused of using its Android app to spy on user’s text messages. (More on that here.)

But with that comes another question: what can an app with no permissions do?

Surprisingly, Paul Brodeur of Leviathan Security discovered that an app without permissions can pull a list of all non-hidden files on the SD Card, determine what apps are installed on a device (and check if sensitive data can be read from their associated directories), and grab unique identification information about that device.

Brodeur was able to pull the above information after creating a proof-of-concept app, “No Permissions” and testing it against Android 4.0.3 and Android 2.3.5.

In his Monday blog post, Brodeur warned that a good amount of data (photos, backups and any external configuration files) is stored on the SD Card, all of which can be fetched by his permission-less app, which is the perfect scenario for any data-hungry attacker.

Not only that, but with the no-permission app being able to see what apps are installed and see what sensitive data can be read, Brodeur suggested that such a feature can be used to check for apps that have weak permission vulnerabilities that are prime for exploitation.

And although the phone’s IMEI / IMSI are out of reach, Brodeur was able to collect the GSM & SIM vendor ID, along with a file containing the kernel version or custom ROM name (if applicable) and Android ID using his proof-of-concept app.

Of course, how could ANY of the collected data leave the phone without internet permissions?

Well, the URI ACTION_VIEW Intent network call doesn’t require permissions and can be used to open a browser, at which point the data can be passed via GET parameters in a URI. This can be done even if the permission-less app is not in focus (aka not the active app). Sneaky, sneaky.

As always, be careful what applications you install on your smartphone.

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+.

Tuesday, April 10, 2012

Flashback Trojan Infects Over 600,000 Macs - How to Detect & Remove It From Your Mac

Apple LogoWas your Mac one of 600,000 machines infected by the Flashback Trojan?

For the last few weeks, Flashback has made headline after headline since it was discovered by Dr. Web that the Trojan had created a botnet that was half a million Macs strong. Those numbers were later confirmed by security experts over at Kaspersky Lab.

The large number of infected OS X machines was due to the Flashback Trojan exploiting an unpatched Java vulnerability via drive-by-download attacks. No user interaction was necessary for the malware to be downloaded & installed on the target machine – it was all done silently in the background the moment a user visited a malicious site serving the malware.

A lot of the blame has been placed on Apple for its delay in patching the Java vulnerability responsible for a large amount of the infections. The Java flaw was patched back in February by Oracle; however, Apple didn’t release a fix to OS X until April 3rd.

Of course, word that such an alarming amount of Macs have been infected by malware has revived the ongoing debate of whether or not Macs are safer than PCs.

Still, how is a Mac user to cope with a malware outbreak that has been compared to the infection rate of the Conficker worm for Windows computers back in 2008-2009?

Detecting & Removing the Flashback Trojan on Your Mac

Thankfully, Kaspersky Lab has produced all of the tools an OS X user needs to both detect and remove the Flashback Trojan from their computer.

  1. To check if your Mac has been infected by the Flashback Trojan (aka Flashfake), visit this site: flashbackcheck.com

  2. If your Mac is infected, you can download their free removal tool to get rid of it.

Flashback infections aside, it may be time to install antivirus software on your Mac. I suggest checking out the Mac antivirus offerings of ESET, Sophos (free) & Intego.

Was your Mac infected by the Flashback Trojan? Has the Flashback Trojan outbreak changed your perception on the security of Apple computers?

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+.

Monday, April 9, 2012

"OMG I'm laughing so hard at this picture.." DMs Phish for Twitter Login Credentials

TwitterOne, two, account phishers are coming for you...

That’s right, Twitter users!

Cybercrooks are hoping to cheat you out of your Twitter account by sending you a DM that reads something like this:

Twitter Phishing DM
rofl...omg i am laughing so hard at this picture of me my friend posted [LINK]

Twitter Phishing PageUpon clicking the link, you will be taken to a Twitter login phishing page claiming that your session has expired and that you will need to login again.

If you make the mistake of logging in, your Twitter username and password will be sent off to the bad guy so he can take over your account and do whatever he/she wishes.

Take note that multiple domains may be used in this phishing scheme and that it’s likely the scammers change the domain names as they are flagged.

As a rule of thumb, it is always a good idea to double-check the URL in your browser’s address bar before submitting your username and password – regardless of what website you’re logging into. So try to make it a habit of doing so.

Stay safe, Tweeters!

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+.

"Thank You for Your Video" YouTube Spam Links to Pharmacy Websites

YouTube LogoI hate to break it to you, but YouTube isn’t really thanking you for your video.

What you’re looking at is the latest variant of a YouTube spam campaign focused on driving traffic to illegal pharmacy websites.

Yes, spammers are spitting out another round of those YouTube spam emails we saw at the beginning of March. If their spam schedule is anything like last month’s, we can expect to see many more of these messages in the days to come.

Don’t be fooled by the noreply@youtube.com sender address either – it’s spoofed to make you think the email is genuine, even though it’s far from it:

YouTube Notification Spam
From: YouTube (noreply@youtube.com)
Subject: Thank you for your video

YouTube              help center | e-mail options | report spam

YouTube sent you a notification:
Thank you for your video

http:// www.youtube.com/watch?v=jK1FKHSjR0n&feature=b-mv

You can unsubscribe from our emails and newsletters at any time. Click here to unsubscribe.

© 2012 YouTube, LLC
901 Cherry Ave, San Bruno, CA 94066

All of the links within the emails point to a random third-party site that will direct you to an illegal pharmacy website, including the fake “unsubscribe” link.

If you happen to receive this email or one similar to it, it’s strongly recommended that you delete it without clicking on any of the links. Remember: less clicks means less motivation to spam!

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+.

Buy of the Week: 13.3" MacBook Pro for $1,448!

13-inch Apple Macbook ProThe first time you pick up a MacBook Pro you'll notice the difference it makes. The entire enclosure is thinner and lighter than other notebooks. It looks polished and refined. And it feels strong and durable - perfect for life inside (and outside) your briefcase or backpack.

Until April 13th, 2012, you can order a new 13-inch Apple MacBook Pro from Hyphenet for only $1,448 shipping!

Call Hyphenet at (619) 325-0990 to order your 13-inch MacBook Pro today!

Specifications for the 13-inch MacBook Pro

Display13.3" Widescreen LED backlight
TFT 1280 x 800 ( WXGA )
ProcessorIntel Core i7 2.8 GHz
Hard Drive750 GB HDD (5400 rpm)
Graphics ProcessorIntel HD Graphics 3000
NetworkingGigabit Ethernet,
WLAN : 802.11 a/b/g/n,
Bluetooth 2.1 EDR
Operating SystemMac OS X 10.7 Lion
Optical DriveDVD±RW (±R DL)
CameraIntegrated (1280 x 720)
BatteryLithium polymer - 63.5 Wh (up to 7 hrs run-time)
WarrantyApple 1-year limited warranty
Technical support - phone consulting - 90 days

Don't miss out on this Buy of the Week! Call Hyphenet at (619) 325-0990 to order your 13-inch MacBook Pro!

Buy of the Week offer valid through April 13th, 2012.

* Shipping, taxes and CRV may apply.

Hyphenet is an Authorized Apple Reseller.

Friday, April 6, 2012

Bogus AT&T Billing Emails Point to Malicious Sites Serving Malware

AT&T LogoIs that a real AT&T wireless bill for over $900 or is that a trick?

Unless you’ve been chatting up a storm, texting everyone you can non-stop or downloading every app that even APPEARS interesting to you, it’s likely just a ploy to get you to click on a link that will take you to a malicious site that will attempt to install malware on your PC.

Yes, it’s the very same wool that cybercrooks recently tried to pull over Verizon Wireless customers heads'.

At first glance the spam messages, titled "Your wireless bill is ready to view" appear genuine, alerting you that your latest wireless bill is available to view online. That's how they get you though, for not a single link within the bogus AT&T billing email points to the AT&T website:

 AT&T Bill Spam Screenshot Credit: PC Mag SecurityWatch

Instead, they will direct you to a compromised website that will attempt to exploit vulnerabilities within Adobe Reader, Adobe Acrobat or Windows Help Center in order to plant malware on your computer.

If you receive an AT&T billing notice with an outrageous balance, be sure that you mouseover any embedded links to make sure they point to the actual AT&T domain (att.com) and not some third-party site.

No att.com domain = no clicking. You've been warned!

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+.

Thursday, April 5, 2012

Facebook Mobile App Flaw Leaves Accounts Open to Hijacking on Jailbroken Phones

Facebook SecurityIs there a security hole in the Facebook app for iOS and Android that could allow an attacker to easily hijack your Facebook account?

Apparently there is, but only if your phone is jailbroken.

It was reported this morning that a U.K. based Android & iOS app developer, Gareth Wright discovered a rather serious security flaw within the native Facebook app that could potentially be used to hijack Facebook accounts.

The vulnerability stems from the fact that a user’s full oAuth credentials were stored in plain text in the Facebook app’s plist file, which houses a user’s settings and carries an expiration date of January 1st, 4001.

Wright made the discovery after rummaging through application directories using a free iExplorer tool (often used to easily browse through iOS files) and finding that the popular Draw Something game by OMG POP held a Facebook access token, also kept in plain text.

Curiosity then drove him to copy the hash and run a few FQL (Facebook Query Language) queries, which allowed him to pull “pretty much any information” from his Facebook account.

From there, he couldn’t resist knowing what the Facebook app stored and browsed through the Facebook application directories until he found the unencrypted authorization credentials tucked away in the plist file.

Of course, should an attacker get their grubby paws on a user’s Facebook token, they can hijack that user’s account by plugging it into their Facebook app and firing up, as Wright witnessed first-hand when he shot his own .plist file over to his friend and watched as said friend posted updates to his Facebook Wall, sent some private messages, liked a few random pages and installed an application or two.

However, there was a single piece of information that Wright didn't mention in his Tuesday post: he was using a jailbroken iPhone.

According to an offical statement posted on the official Facebook Security page, the access token is only vulnerable on jailbroken phones:
We have noticed several articles claiming your Facebook account is at risk if you use Facebook for iOS or Android. This is NOT true.

Facebook's iOS and Android applications are only intended for use with the manufacture provided operating system, and access tokens are only vulnerable if users have modified their mobile OS (i.e. jailbroken iOS or modded Android) or have granted a malicious actor access to the physical device. To protect yourself we recommend all users abstain from modifying their mobile OS to prevent any application instability or security issues.

So, if you’re running the Facebook app on an unaltered iPhone or Android device, there’s no reason to worry.

But if you ARE using a jailbroken device, take heed to Wright’s warnings and think twice before hooking your iPhone up to a stranger’s speaker dock or USB cable. Oh, and make sure you have a way to remotely wipe your device should it ever end up stolen.

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+.

When Good Websites Go BAD! [INFOGRAPHIC]

Malware BugWe all know how an innocent web surfing session can easily result in a malware infection.

But how often does that happen? And how often does it happen with popular sites that have been online for years? Those have to be safer, right?

Not necessarily...

Security researchers over at BarracudaLabs recently ran a month-long experiment to determine just how safe the top-visited websites are.  Using an automated tool that "forces a web browser inside a Windows virtual machine to visit a URL to see what happens to the browser, its plugins, and the operating system," they examined the 25,000 most popular domains listed on Alexa everyday for the entire month of February.

What did they find? Well, I’ll just let this infographic paint the picture for you:

When Good Sites Go Bad [INFOGRAPHIC]

What steps are you taking to protect your PC from malware threats?

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+.

Wednesday, April 4, 2012

Facebook Users Targeted by Latest Ice IX Trojan Variant

Facebook Icon (circle)“In order to provide you with extra security, we occasionally need to ask for additional information. We need to verify your identity with a credit or debit card.”

That is the sales pitch thrown at unsuspecting users when they attempt to login to their Facebook account from a computer infected with the latest version of Ice IX, Trusteer reports.

Below the verbiage is an assortment of input fields, injected into the page by the malware in hopes of stealing sensitive financial information like the cardholder name, credit card number, expiration date, CID and the billing address.

Billing Page Injected into Facebook Login Process

Once the user provides that information, it will be sent directly to the attacker so they can use it to run up fraudulent charges or possibly sell it to the highest bidder.

Trusteer researchers even found a “marketing” video used by the Ice IX authors that demonstrates how the web injection attack is carried out:

  1. Ice XI sends CC info to the attackerThe user goes to www.facebook.com and logs into an account.

  2. A dialog window pops up displaying the message explained above, although the video version takes it a bit further by asking for a social security number and date of birth in addition to the credit card details.

  3. The information supplied by the user is shown to be delivered via instant message to the attacker.

It is important to remember that Facebook will never ask for your credit card number, social security number or any other sensitive information aside from your Facebook username and password while logging in. So if you see a page asking for private information upon login, there’s a good chance your PC has been infected with some type of malware.

Additionally, Facebook informed Trusteer that they actively detect known malware on users’ devices to provide them with a fix. You can run through the check point by visiting on.fb.me/AVCheckpoint. (note: you must be logged out of your account).

Screenshot Credits: Trusteer

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+.

Apple Releases Patch for Multiple Java Vulnerabilities

Apple Java UpdateTime to update your system, Mac users!

Apple has finally released an update for Java that plugs a number of security holes, including the CVE-2012-0507 flaw that is actively being exploited by the latest variant of the Flashback Trojan in order to infect Macs.

It is strongly recommended that users apply the update,  Java for OS X Lion 2012-001 and Java for Mac OS X 10.6 Update 7 as soon as possible.

Aside from installing the latest update, now may be a good time to consider whether or not you even need Java to be enabled on your machine. Cybercriminals often use known Java vulnerabilities in order to download and launch malware onto computers, so unless you absolutely need it, then it may be time to eliminate the risk.

You can disable Java by going to Applications → Utilities → Java Preferences and unchecking everything in the General tab.

Otherwise, you may just want to toggle the Java plug-in within your browser as necessary.

Photo Credit: Apple Support

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+.

Try Not to Step into the Free TOMS Shoes Facebook Scam

TOMS logoContrary to what spammers want you to believe, you cannot score a free pair of TOMS shoes on Facebook.

The scam starts off like any other one has – you’re minding your own business, catching up on the latest from your friends via Facebook’s News feed when suddenly you come across a post advertising the offer for a free pair of TOMS shoes.

Now, the actual message and URL may vary since cybercriminals want to minimize the chances of Facebook blocking their junk offers, but the overall idea remains the same:

Grab free TOMS shoes spam
Free Toms’, For LIMITED TIME!

For the next 24 hours ONLY! Grab your NOW!

Since you happen to be a fan of TOMS shoes, you click the link and you’re redirected to a page on grabfreepair.info, which asks you to share the offer and like it in order to attract new victims (by exposing YOUR Facebook friends to it like your friend had done to you) and help the scam spread. 

TOMS shoes share offer page

TOMS shoes scam pageAfter sharing the scam with your friends, you will be redirected to another website, tomsshoes.oursuperoffersnow.com, which will ask you to select a color, size and enter your email address.

Now, this is where you should really pay attention. There is a huge block of text at the bottom of the page that lists the requirements you must fulfill in order to score this “free” pair of TOMS shoes:
Eligible members can receive the incentive gift package by completing two reward offers from each of the Silver and Gold reward offer page options and NINE reward offers from the Platinum reward offer page options and refer 3 friends to do the same. Various types of reward offers are available. Completion of reward offers most often requires a purchase or filling a credit application and being accepted for a financial product such as a credit card or consumer loan.

So much for being “FREE”, huh? At this rate, you’re better off just locating a store near you that sells TOMS shoes.

If you see a friend advertising this Facebook scam, feel free to mark the post as spam by clicking the ‘x’ at the top of the page. You may also want to let your friend know that it is a scam so they can pass the word on.

Did you fall for this scam? Take a moment to remove any posts advertising this scam from your profile. Oh and keep an eye out for other scams that are likely to hit an inbox near you.

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+.

US Airways Spam Fueling ZeuS Trojan Infections

US AirwaysIf you didn’t learn not to click on links embedded in Delta Air Lines spam, then perhaps the new US Airways spam campaign will teach you.

Kaspersky Lab Expert Dmitry Tarakanov warns that cybercrooks are spamming out bogus US Airways check-in emails in hopes of infecting the machines of gullible recipients with the popular ZeuS banking Trojan.

Here’s a sample email:

US Airways Spam
Image Credit: Kaspersky Lab

US Airways

You can check in from 24 hours and up to 60 minutes before your flight (2 hours if you’re flying internationally). Then, all you need to do is print your boarding pass and head up to the gate.

Confirmation code: XXXXXX (random number)
Check-in online: Online reservation details


Departure city and time
Washington, DC (DCA) 10:00PM
Depart date: 4/5/2012

We are committed to protecting your privacy. Your information is kept private and confidential. For more information about our privacy policy visit usairways.com.

US Airways, 111 W. Rio Salado Pkwy, Tempe, AZ 85281, Copyright US Airways, All rights reserved

From what I can tell, the confirmation code in the email appears to be random; however, the departure city and time seems to be standard.

Clicking the ‘Online reservation details’ link will take you to a malicious third-party site housing the widely-used Blackhole exploit kit, which will attempt to exploit Java, Adobe Flash Player or Adobe Reader in order to deliver the ‘Gameover’ build of the ZeuS/Zbot Trojan.

All of this will happen quietly in the background as the user curiously stares at the lonely ‘Loading..’ text occupying the page.

Of course, once the malware makes its way onto your machine, it will begin stealing sensitive online banking information, which will then be uploaded to a remote server controlled by the attackers.

US Airways is aware of the bogus spam circulating and has posted a warning on their website and Facebook page. US Airways advises users to hover their mouse over the link to check the underlying URL, which will have ‘usairways.com’ as the domain name if it is legitimate.

If you receive the email and notice that the URL for the link doesn't match, feel free to delete it.

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+.