This week’s upsurge in attempts to social engineer control of your computer out from under you comes at the expense of the reputations of several social networking sites. Last week, it was fake news stories, with promises of horrific video of bomb blasts close to you; this week, it’s fake Classmates.com and Facebook announcements of ‘highly rated’ videos and pictures of Young Girls Doing Things. The emails all have subjects (like the following) designed to trigger the prurient interests of Internet users:

Subject: Facebook message: Facebook girl Striptease Beautiful dance (Last rated by Cecile Lucero)
Subject: Classmates private: Party Photos (Last rated by Colby Hunt)

(There’s also cross-pollination, as there have been supposed “Classmates messages” advertising that Facebook girl – she must be popular!)

Unfortunately, disappointment lurks at the URL in the body. There, you’ll find a picture and a notice that, yes, your Flash player is out of date and must be updated. The ‘update’ will not allow you to view any pictures or video; instead, it will turn your machine into a zombie, invisibly under the control of one of the botmasters.

As with any of these infection attempts, there are a number of things you can do to protect yourself. First and foremost, surf smart. Don’t install software because a website told you to; if you find that you really need to update your Flash player, go get it from Adobe themselves. Keep all your security software up-to-date – that includes anti-virus, firewall, and anti-spam software. Monitor threat evaluation sites like Threat Expert, the US Computer Emergency Readiness Team (US-CERT, and the Internet Storm Center.

And, of course, be suspicious any time someone you’ve never heard of wants to share private photos with you.

The Waledac botnet is trying to grow again, and the herders may have hit upon a great new twist. Waledac bots are currently sending out huge numbers of fake Reuters news articles about a bombing near the recipient’s location. These emails point to a “Breaking News” website that claims to have a link to video of the story that requires you to update your Flash player (except that what they serve you is not a new Flash player, but a bot infestation).

What makes this unusual is that fake news story (or, rather, the machines that host it). The infected machines serving the ‘news story’ webpages are also performing geolocation tests against the IPs trying to pull the page, and altering the content based on where they think that IP is located. If they can determine where you are, the ‘breaking news’ story that you get will be tailored to you, saying that the bombing took place in a town near you. In terms of social engineering, this goes a long way to making the content more believable.

How can you protect yourself from this? To start, make sure your anti-virus signatures are up to date. Be wary of previously unknown sites – don’t install software just because a website told you to. Visit the US Computer Emergency Readiness Team (US-CERT) website – they’ve got great papers on avoiding social engineering attacks and other email scams.

Several weeks ago, multiple exploits were discovered in a webmail product called RoundCube. A couple of PHP modules within that product were unsafe and allowed the execution of arbitrary code on the server. Although fixes for these vulnerabilities were included in a security update on December 16th, there are apparently a lot of unpatched RoundCube installations out there.

Within the last few weeks, many RoundCube installations have become vectors for bank phishing attacks targeting mobile customers. By exploiting those vulnerable PHP modules, spammers have been able to install open proxies on mail servers, DNS servers, and other nominally secure Linux and Unix machines.

I’ve had the chance to review logs from some of these compromised machines and they all appear to have been used to send email to SMS accounts at places like Verizon Wireless and AT&T/Cingular. The payload of those messages tends to be bank phishing of the form ‘Your Credit Union account is locked due to unusual activity. Call XXX-XXX-XXXX to unlock’.

If you’re a system administrator, this should be a reminder to you to check all of your installed packages for security updates. Bad guys are out there, constantly testing common and uncommon software packages, looking for new and exciting ways to make use of resources that don’t belong to them. Don’t make it any easier for them.

And, if you get one of these text messages? Don’t call the number. If you’re really concerned about activity on your account, call your bank via the phone number on your ATM card or in your monthly statement. You might even pop in to your local branch and talk to an associate.