Terry Zink posted an article recently talking about an announcement by Twitter earlier in the month and the actions they are taking to further protect their users against phishing attacks;  they state:

By routing all links submitted to Twitter through this new service, we can detect, intercept, and prevent the spread of bad links across all of Twitter. Even if a bad link is already sent out in an email notification and somebody clicks on it, we’ll be able keep that user safe.

Based on information from their support pages (here and here) it seems they will use (at least in part) Google Safe Browsing. Users will see the twt.tl shortener service appearing, and it will only be on DMs (Direct Messages) and the email notifications they generate, for now.

URL shorteners work pretty much as the name might suggest, taking a long URL (which might perhaps look ugly) and converting it to a much shorter one. With the rise of Twitter and other microblogging services, the need to save the number of precious characters used has seen an explosion of URL shortener services. In fact, there is a good chance that you came to this posting via one of these services.

As Terry points out in his post, these services have a fundamental flaw since spammers can and do use them to hide the true destination of their malicious URLs. The URL that they then post out is the shortened one and since the domains used are essentially ‘good’ some domain-based filters won’t flag these URLs as spam. His post finishes with:

Now, if only we could get all of the URL shortening services to subscribe to these reputation services.

We’d like to second that comment and call on URL shortening services to take more proactive steps to identify and reduce the volume of spammy links submitted via their services. Even though it only really targets phishing and malware sites, Google has an API for their Safe Browsing service which would be a useful starting point.

Within the Security Operations Center at Cloudmark, one of the many things we keep an eye on is potential new URL shortener services. Our system takes these shortened URLs and follows them to their lengthier original state. This allows us to treat any shortened URL as if the original URL had been posted and use the reputation of that rather than the URL shortener service.

One of the big problems here, though, is the sheer number of such services that are available; you can even run your own. To give you an idea, here are some numbers:

• Total number of shortener services discovered: 707
• Total number of shortener services seen in the past week linking to spammy websites: 275
• Total number of shortened URLs seen in the past week linking to spammy websites: 5868

(‘past week’ here refers to the 7 days leading up to 30th March 2010)

So in the past week nearly 40% of the URL shortener services that we know about were abused by spammers, and of those, each was used a little over 20 times on average. These are just the services we know about! Every day we discover more, and now also have some semi-automated systems in place to detect new services before us humans do. This helps us react to new spam attacks using shortener services much quicker.

We’d love to hear from any URL shortener service that does take abuse of their service seriously and takes proactive steps to identify and remove spammy links from their service.

Following on from our press release on the new MobileAuthority solution for mobile networks, we thought we’d give a quick roundup of some of the more common mobile spam and abuse attacks, and how to recognise them. One common theme in mobile abuse is that much of it is fraudulent, i.e. they are trying to scam you to get money, so it’s really important to be aware of the tricks they use.

Premium-Rate Number Scams

This is one of the most common type of spam, and it can be quite pernicious. The idea is to send you a message that tricks you into calling back or replying via SMS. The number you call or send a message to is actually registered as “Premium-Rate” number, and you get charged much higher fees for that call/message on your bill. Even worse are the unscrupulous folks who sign you up for ongoing subscription services that charge you each time they send you messages. Most countries have a code of practice regulating these services, and most providers of these services are legitimate, however you do have watch out for messages (always unsolicited) like the following:

Hi, it’s me! Call me back on this number

Sorry I missed your call, can you get back to me on this number?

You’ve won a cash prize! Reply to 27361 to claim your winnings!

The most important thing, as with all spam, is to look out for (and be suspicious of )  messages from unknown numbers, and also be aware of the premium rate number prefixes in your country. Here are a few examples:

France – 0899

UK – 09

USA – 900

For a fairly comprehensive list of premium rate numbers, there is an article on Wikipedia.

Some of these will be trying to get you to reply to a premium-rate shortcode; the lesson here is that practically all shortcodes that are not provided by your operator will cost you money to send to them. So be very careful when replying to SMS messages, especially those that come from shortcodes (these are typically 4-6 digit phone numbers, but unfortunately they don’t normally conform to a standard prefix, unlike premium-rate phone numbers).

Phishing

Phishing is a term that is used to describe malicious senders impersonating a company or institution (usually ones you might have a financial or billing relationship with) in the hope of getting you to give them information which might help them defraud you of money. This usually takes the form of them luring you to a website which looks just like your bank for example, and then stealing your authentication (login) information. It can also lead to identity theft, or using your details to add premium services to your bill, etc. Even worse are the phishers who setup automated voice response systems that sound just like your bank – many people just don’t expect to be scammed in this manner.

Phishing can be quite hard to detect on a mobile, because many of us don’t question the trustworthyness of the SMS messages we receive on our mobile phone that claim to be from our bank, mobile phone operator, credit card company etc. We would encourage everyone to be suspicious of these types of messages, particularly if you aren’t expecting them. Some example SMS phishing messages we’ve seen in the past:

BANK OF THE XXXXXXXX urgent account notification, verify unusual activity, call 1800-###

Dear Customer we are sorry to inform you that we had to lock your XXXXXX Credit Union access. To reactivate it call ###-###-####.

Viral Hoaxes

Viral hoax messages are often sent around – these can be very annoying, but are not typically considered harmful. They attempt to get you to forward a message to all your friends, in return for some reward for yourself (financial or even as tenuous as “good luck”). Here’s an example:

Text Message Holiday Special: Forward to 10 friends for $25 credit!

The message normally comes from your friends, and so appears trustworthy, and this alone is often enough to encourage people to follow the instructions in the message. As usual, our advice is – distrust any message that seems too good to be true, as it almost certainly is!

Mobile Viruses

Viruses do exist in the mobile world, and although it’s true that today they are not as prevalent as they are on PCs, they are growing in sophistication and penetration, particularly with the rise of smartphones. Transmitting a virus in an SMS message is actually pretty difficult, but we’ve recently seen the first example of a virus that uses SMS messages to propagate itself (the SexyView worm).

Without going into the specifics of SexyView, which are covered extensively elsewhere, it’s worth being aware that an unsolicited SMS message containing a web URL that looks really enticing (e.g. “Britney’s bare-faced cheek!“, “Ronaldo and Paris – the video“, “Video of WWII bomber found on moon!“), may actually take you to a website that downloads a virus to your mobile phone. In the case of this particular worm, the message appears to come from your friends, so you do have to be particularly vigilant. This kind of threat is only going to grow in the future, and could even be used to turn your mobile phone into a spam-sending bot, of the type commonly found on PCs, which would have serious implications for your next phone bill.

We’ll almost certainly revisit this topic in future blogs, as sadly mobile abuse is only going to increase in the future – all too obvious when you think that mobile is by far the world’s largest addressable communication medium, and thus the most attractive target for the bad guys out there.

Neil

This week’s upsurge in attempts to social engineer control of your computer out from under you comes at the expense of the reputations of several social networking sites. Last week, it was fake news stories, with promises of horrific video of bomb blasts close to you; this week, it’s fake Classmates.com and Facebook announcements of ‘highly rated’ videos and pictures of Young Girls Doing Things. The emails all have subjects (like the following) designed to trigger the prurient interests of Internet users:

Subject: Facebook message: Facebook girl Striptease Beautiful dance (Last rated by Cecile Lucero)
Subject: Classmates private: Party Photos (Last rated by Colby Hunt)

(There’s also cross-pollination, as there have been supposed “Classmates messages” advertising that Facebook girl – she must be popular!)

Unfortunately, disappointment lurks at the URL in the body. There, you’ll find a picture and a notice that, yes, your Flash player is out of date and must be updated. The ‘update’ will not allow you to view any pictures or video; instead, it will turn your machine into a zombie, invisibly under the control of one of the botmasters.

As with any of these infection attempts, there are a number of things you can do to protect yourself. First and foremost, surf smart. Don’t install software because a website told you to; if you find that you really need to update your Flash player, go get it from Adobe themselves. Keep all your security software up-to-date – that includes anti-virus, firewall, and anti-spam software. Monitor threat evaluation sites like Threat Expert, the US Computer Emergency Readiness Team (US-CERT, and the Internet Storm Center.

And, of course, be suspicious any time someone you’ve never heard of wants to share private photos with you.

Benjamin Franklin wrote those words in a 1789 letter to Jean Baptiste Le Roy. I’d like to add one more thing to the list of certainties: “Someone is going to try to social-engineer you out of your money”. In this case, they’re using one of the other certainties to do it.

With a month to go before Tax Day here in the US, phishers are ramping up their attempts to get their hands on your financial information. There’s been a definite uptick in phishing emails posing as revenue officials. A couple of examples:

The link in this picture, of course, doesn’t go to the IRS’s website. Instead, it links to a bare IP address.

Our friends in the UK aren’t being left out, either:

The link in this phish went to a page at a free webhosting provider, not to the HMRC website.

There are many steps you can take to protect yourself. Make sure you’ve got the latest version of your web browser, as most have added functionality to point out suspicious sites. You can also install a third-party toolbar (like the Netcraft Anti-Phishing toolbar) that warns you of suspicious sites. Most importantly, be alert – know the web addresses of your revenue service (http://www.irs.gov for the US, http://www.hmrc.gov.uk for the United Kingdom) and your bank(s), and don’t enter personal information on a website unless you’re positive you’re on the correct site. If you have a question about the legitimacy of a site, you can call the customer support line of your bank or your revenue service to confirm.

Several weeks ago, multiple exploits were discovered in a webmail product called RoundCube. A couple of PHP modules within that product were unsafe and allowed the execution of arbitrary code on the server. Although fixes for these vulnerabilities were included in a security update on December 16th, there are apparently a lot of unpatched RoundCube installations out there.

Within the last few weeks, many RoundCube installations have become vectors for bank phishing attacks targeting mobile customers. By exploiting those vulnerable PHP modules, spammers have been able to install open proxies on mail servers, DNS servers, and other nominally secure Linux and Unix machines.

I’ve had the chance to review logs from some of these compromised machines and they all appear to have been used to send email to SMS accounts at places like Verizon Wireless and AT&T/Cingular. The payload of those messages tends to be bank phishing of the form ‘Your Credit Union account is locked due to unusual activity. Call XXX-XXX-XXXX to unlock’.

If you’re a system administrator, this should be a reminder to you to check all of your installed packages for security updates. Bad guys are out there, constantly testing common and uncommon software packages, looking for new and exciting ways to make use of resources that don’t belong to them. Don’t make it any easier for them.

And, if you get one of these text messages? Don’t call the number. If you’re really concerned about activity on your account, call your bank via the phone number on your ATM card or in your monthly statement. You might even pop in to your local branch and talk to an associate.