… at least, if you believe Google.

It’s 7:15 AM on Saturday, 1/31/09. Every search term I’ve entered into Google for the last half hour or so has resulted in a pretty standard list of results, with a new addition – every result is tagged “This site may harm your computer”. Any links in the results feed me through a Google interstitial page that tells me that the page (even Google’s own homepage) has malware, and that I shouldn’t go there (and, to make it harder to accidently do bad things to my computer, there’s no direct link from that interstitial page to the result I want to visit). Their internal link to an explanation is also broken; one or more machines appear to have fallen over under the weight of everyone asking “What’s wrong with Wikipedia??!?!?”

This is supposed to happen when you try to access questionable pages. This morning, Google thinks the whole world is questionable.

[UPDATE: as of 7:30 AM, Google appears to have fixed themselves. The world waits for an explanation. I wonder if this is the result of breakage in their open redirect detection.]

[UPDATE: Google's blog now has an official explanation. The value '/' was manually added to their list of possibly malicious sites, and '/' expands to 'all web sites'.]

Several weeks ago, multiple exploits were discovered in a webmail product called RoundCube. A couple of PHP modules within that product were unsafe and allowed the execution of arbitrary code on the server. Although fixes for these vulnerabilities were included in a security update on December 16th, there are apparently a lot of unpatched RoundCube installations out there.

Within the last few weeks, many RoundCube installations have become vectors for bank phishing attacks targeting mobile customers. By exploiting those vulnerable PHP modules, spammers have been able to install open proxies on mail servers, DNS servers, and other nominally secure Linux and Unix machines.

I’ve had the chance to review logs from some of these compromised machines and they all appear to have been used to send email to SMS accounts at places like Verizon Wireless and AT&T/Cingular. The payload of those messages tends to be bank phishing of the form ‘Your Credit Union account is locked due to unusual activity. Call XXX-XXX-XXXX to unlock’.

If you’re a system administrator, this should be a reminder to you to check all of your installed packages for security updates. Bad guys are out there, constantly testing common and uncommon software packages, looking for new and exciting ways to make use of resources that don’t belong to them. Don’t make it any easier for them.

And, if you get one of these text messages? Don’t call the number. If you’re really concerned about activity on your account, call your bank via the phone number on your ATM card or in your monthly statement. You might even pop in to your local branch and talk to an associate.

Websense is reporting that 70 of Alexa’s Top 100 sites have been seen either directly hosting, or providing redirects to, ‘malicious sites’. Put another way, more than 77% of the sites Websense detected as hosting malicious content were sites with ‘good’ reputations. While specifics of the definition of malicious aren’t given, they do point out that almost 40% of those sites hosted code designed to steal end users’ data, including user names, passwords, and credit card information.

A lot of these sites are being advertised in email. By Websense’s numbers, about 90% of spam (or, about 75% of all email) contained links to one of these malicious sites.

A quick look through the top 100 shows a lot of familiar names: Google (in all its international incarnations), Yahoo!, Microsoft, LiveJournal, Facebook, Blogger. The unifying theme here is that all of these sites allow user-uploaded content, mostly in the form of blog posts. That content can be anything, from a simple URL pointing at a Canadian Pharmacy website to a cross-site scripting vulnerabilty.

Just as the bad guys are employing a multi-layer offense designed to steal data (such as spam email that points you to a Good Guy redirector that eventually ends up at an innocent-seeming website that pushes a keylogger trojan down to your machine), users need to start considering defense in depth to insure their own safety. The old mantras of “keep your anti-virus software up to date” and “don’t click on links from people you don’t know” are falling by the wayside in the face of compromised accounts sending out exploits that the virus companies haven’t seen yet. What can be done?

• Don’t click on links from people you do know, if it seems out of place for them to have sent them. If your mom sends you links to Google Groups, or a business colleague forwards over a Blogspot link, perhaps a phone call to verify the provenance of those links is in order.
• Keep all of your security software up to date. That includes downloading and installing critical Microsoft patches, new fingerprints for your anti-virus software, and upgrades to your web browser.
• Be vigilant with personal information. Change your passwords frequently. Check your bank and credit card accounts at least once a week for unusual activity, and pull your free credit report once a year.
• Consider changing web browsers. Firefox has, historically, been seen as more secure than Internet Explorer.
• Install trusted security add-ons for your web browser. NoScript (a Firefox extension that prevents untrusted sites from running scripts) and the Netcraft toolbar (for IE or Firefox, this toolbar displays registration information and a safety rating for any website you visit) are two tools that should be in everyone’s toolbelt.

AT&T Wireless is coming under fire for sending a message to their subscribers reminding them to watch the season premiere of American Idol. AT&T’s spokesman has defended the campaign, pointing out that the messages were free, only sent to AT&T subscribers (with whom AT&T has an ongoing business relationship), and gave recipients a way to opt out.

Recently, Optus was fined $110,000 AU (about $72,000 US) for sending text messages to about 20,000 of their subscribers promoting their new Zoo service. Optus’s message did not clearly identify Optus as the sender, in violation of Australia’s Spam Act of 2003.

Separate events, but they do highlight three common issues:

1) Make sure your customers know what to expect from you. Suddenly changing the overall content of what you’re sending is likely to cause spam complaints to skyrocket.

2) Be clear about who you are. Choose an identity and stick with it. In email terms, sending as different entities or using a large number of domain names in your messages makes it harder for recipients to identify that you’re the company they’re expecting to hear from.

3) Understand your local laws, and the laws of your receivers. Optus ran afoul of the Spam Act requirement that “the message clearly and accurately identifies the individual or organisation who authorised the sending of the message”. In Optus’s case, they used the sender identification ‘966′ (‘ZOO’). AT&T Wireless, however, clearly identified themselves as the sender.