Tweet

The truth about the Facebook Profile Viewer is simple: it doesn’t exist.

You can check every Facebook page or app available, but you can be 100% sure that each one that says “See who viewed your profile!” or “Who’s stalking you?” is just a ruse for Facebook users to reveal their passwords or spread spam. How do they do this? Clickjacking is a surefire way. In a typical clickjacking attack, cybercriminals hide malicious content under the guise of legitimate pages and may use malicious JavaScript to load content from third-party sites, all in a few clicks.

But what happens if cybercriminals turn to different and newer techniques? Having users type in commands on their keyboard would be a real game changer. Here’s how:

Ctrl+FB

A closer look at a comment within a spammed wall post showcases the start of a different strategy for spammers this time around.

Once you click the link on the comment box, it will redirect again to Facebook Log in Page with Pinterest.

Once logged in, the site redirects to another malicious URL that claims to be “Official Facebook Profile Viewer.” Clicking the ‘Get Started’ button redirects to image with keyboard shortcuts with instructions for users to carry out.

It then redirects to another page asking to type in another set of keyboard shortcuts for the supposed security check.

Finally, the infection chain results in a malicious survey scam, which is typical of many attacks on social networking sites. We have extensively covered this type of scam in the past, including those that leverage Google Glass, Instagram, and even those found on Tumblr. Sadly, users still fall for this. To avoid this threat, always remember that threats are just lurking on social networking sites and always be cautious when clicking links, even if they come from your contacts. Trend Micro already blocks access to sites related to this threat.

And let me be clear – a legitimate Facebook Profile Viewer doesn’t exist. For now, anyway.

Tweet

Windows XP is officially on its last legs – as far as Microsoft is concerned. There is less than a year remaining before official support ends for the 11-year-old operating system on April 8, 2014.

For users, the biggest impact of this will be that Microsoft will no longer release security updates for Windows XP vulnerabilities after that date. This wouldn’t be a problem, if it weren’t for the fact that so many users are still using XP. Net Applications data says that even now, more than a third of all PCs are still on XP. It was not until August 2012 that the number of Windows 7 users exceeded Windows XP users according to this data.

The potential for criminals to take advantage of this situation is significant. As long as there are significant numbers of XP users, they will continue to be targeted – and new exploits will continue to see the light of day. In the absence of any security patches from Microsoft, these will be all that more dangerous. (To highlight how they’re still finding new security holes in Windows XP, consider this: every Patch Tuesday in 2013 so far has had at least one Critical bulletin that covered XP.)

All users still on XP should consider upgrading right away. Most users may be due for an upgrade in their systems anyway, since it’s been years since XP was sold to end users. However, enterprise and other Windows XP users may well have had reasons not to migrate up to this point – for example, custom software that requires XP to work. However, running software that will never be patched is a significant gamble – particularly software that has been as enduring a target as Windows XP is.

These organizations should be preparing migration plans and getting ready to implement them later this year. If they make the decision to stick with Windows XP past April 2014 – with an operating system that by that time will be more than 12 years old – then they should be prepared to deal with the security fallout as well.

For our part, we will continue to provide new rules for Deep Security and OfficeScan Intrusion Defense Firewall, which we recommend that users apply to protect themselves from new threats. These allow users to minimize the threats that out-of-support operating systems like Windows XP face; as an example these products allow us to continue to provide protection for customers who still maintain Windows 2000 systems.

Tweet

For this month’s patch Tuesday, Microsoft released security updated to resolve nine bulletins, including a bulletin for two critical issues found in all versions of Internet Explorer on all supported versions of Windows (which includes Windows 8 and Windows RT).

These issues received a critical severity rating, which means IT or security administrators should consider this bulletin high-priority. These issues affect all versions of Internet Explorer, from IE 6 to 10. If successfully exploited, these vulnerabilities could permit a possible attacker to execute a malware once user visits certain malicious website via Internet Explorer (or what we call drive-by downloads or attacks). The other IE issue may allow a successful attacker to gain the same rights or privileges that an affected user has. Fortunately, this may have less impact if victim has no administrator privileges.

The other critical bulletin addresses a privately disclosed vulnerability in Windows Remote Desktop. Like the IE bulletin, this issue may allow a remote malicious user to execute malicious code onto the vulnerable system.

Besides this month’s roster of security updates, Microsoft announced another major reminder, specifically its plan to stop supporting Windows XP and Office 2003 by April 8, 2014. Thus, we might be seeing less and less of updates for the platform until this deadline. To prevent any possible problems, Microsoft is encouraging its customers, who are still using Windows XP, to upgrade to a “more modern platform” such as Windows 7 and 8 the soonest possible.

Microsoft is no longer the only vendor rolling out updates on Patch Tuesday as well. Adobe has also rolled out patches covering ColdFusion, Flash Player, and Shockwave Player.

Trend Micro Deep Security and OfficeScan with Intrusion Defense Firewall (IDF) plugin users are protected from any attacks that may leverage these vulnerabilities. For more information on the bulletins and corresponding Trend Micro solutions, visit the Threat Encyclopedia Page.

Tweet

In response to the growing threat of mobile malware, one intriguing concept has emerged as a potential solution to help enterprises secure mobile devices: dual-identity devices.

The idea is actually fairly simple. On the phone there will be two distinct profiles: one for personal usage, another for work usage. The apps and data of each profile would be kept distinct from each other. The “personal” profile would be managed by the user, and the “work” profile would be kept locked down (the way most IT people would prefer it). In theory, everybody is happy: the user gets to use their phone as they see fit, the user’s company has their data safe and sound. It’s a win-win situation, right?

The concept is appealing enough that both Blackberry and Samsung have announced that they are both using this very concept in their newest products. However, the devil is in the details – and that is where we discover there are a few problems.

Firstly, there isn’t a standard for how to do this sort of security. What it means is that if enterprises really want to use a feature like this, they might find that only a small percentage of devices are as secure as they ought to be because many employee devicest ha aren’t on the right platform. Alternately, they mighve to limit their users to a very specific device or platform – which goes against the grain of the entire Bring-Your-Own-Device trend.

Secondly, there’s the issue of usability. How will the user “see” the secured, encrypted portion? Blackberry’s implementation treats home/work as a setting, which can be easily changed from the phone’s home screen. Samsung’s implementation is more analogous to an app that has to be used.

Security features that are inconvenient to use won’t be used. Consider passwords: in theory, they work well enough, but because users find it inconvenient to memorize secure ones, they use weak ones which are trivial to break. If these features are difficult to use, then they will likely be ignored or bypassed.

It’s quite likely that we’ll see similar security solutions become more common in mobile platforms either this year or next. The idea itself has plenty of merit; the problem is how it will be implemented. If it turns into a fragmented mess with each vendor, each OEM, each carrier having their own “solution” then this idea will go nowhere.

On the other hand, if a reasonably multi-platform solution that’s easy to use for both IT administrators and users is found and sees widespread adoption, it would be a huge step forward in making BYOD easier for enterprises to swallow as part of a comprehensive and well-thought out consumerization plan.

Tweet

The Internal Revenue Service (IRS) opened up the filing season on January 30, 2013 to help taxpayers prepare for the looming April 15 tax deadline. April 15 or colloquially known as Tax Day is when individual income tax returns are due to the federal government. Typical of cybercriminals, they have also prepared their own tax-related scams for taxpayers with scams that aren’t a far cry from the usual attempts.

Tax-themed attacks usually arrive in the form of spammed messages claiming to be from the IRS or other government-related entities. In order to appear a little more convincing, the messages are crafted in order to intimidate and scare users into to acting on it immediately, without having the chance to verify whether the these emails are legitimate. Below are some of the common trends in tax-themed messages seen in 2012:

• Rejected Federal Tax Transfer
• Rejected Federal Tax Transaction
• Rejected Federal Tax Payment
• Federal Tax Payment returned
• Federal tax transfer canceled
• Federal tax transfer rejected
• Federal tax transfer returned
• Your IRS federal tax transfer is cancelled
• Your federal tax transaction has been not accepted
• Your transaction is cancelled
• IRS report of not accepted tax bank transfer
• Report of tax transaction decline
• Report of tax bank transfer decline
• Income Tax Refund CANCELED
• Income Tax Refund RETURNED
• Income Tax Refund TURNED DOWN
• Income Tax Refund NOT APPROVED

…And the list goes on. Notice that these messages are made to warn users of their “negligence” in terms of payment. Due to the serious penalty involved and to avoid any kind of scuffle with the law, people would naturally try to remedy the situation by clicking the links or downloading attached files, only because the email instructed them to.

Figure 1. Detected phishing URLs related to the IRS

Apart from spam, phishing sites have also been a tax season staple throughout the years. We’ve spotted phishing pages copying the IRS official site that spike in February, but wanes come March.

In an attempt to target the growing number of mobile device users, some cybercriminals have even created tax-themed malicious apps. According to reports, these apps were being distributed using the Cutwail botnet by way of the Blackhole Exploit kit.

Why does this threat still persist?

Though the IRS issues regular warnings on their website, cybercriminals have long been effective in deceiving people and are continuously generating profit from it.

We will continue to monitor and block tax-related threats by preventing spam from even reaching users’ inboxes via our email reputation technology. Web reputation technology also blocks user access to malicious sites, and file reputation technology prevents the download and execution of malicious files onto users’ systems.

To avoid falling prey into these schemes, it pays to know how social engineering works and what makes it effective. Treat every message you receive as potentially malicious and do not download any attachment or click any link unless verified. These may seem like run-of-the-mill threats, but it looks like they won’t be going away any time soon.