Review

We’ve been seeing Fake AV programs getting more convincing for a while now. Some of the tricks employed by the guys behind these rogue programs include Windows-7-style fake scanners, in-browser “scanners”, and program features that ape other aspects of the operating system. Yesterday, though, we came across a misleading application called AntiVirusDemoFraud that is—how to say?—possibly a little less sophisticated than some in terms of user interface design. ...

Who wouldn’t want some tax benefits in the current economic times? Don’t phishers and scammers know that all too well! In a new phishing scheme, We found that Child Tax Credit is being used as bait to lure parents to disclose their financial data. This attack specifically tries to convince users to make claims for credit and lower their tax burden by using their children’s education expenses. According to the Internal Revenue Service (IRS) website [PDF], taxpayers may be able to reduce their federal income tax by up to $1,000 for each qualifying child. Making use of this information, spam email discusses the expensive education of children and quickly advises recipients to use this expense to make claims for tax credits under the numerous tax benefits provided by the IRS. They make a further appeal that as a U.S. citizen or resident, recipients should apply for their tax returns. According to the email, users can get a tax refund of $75,000 for their children’s education. To apply for a refund, users need to complete a form attached to the email message. The fraudulent email has an HTML attachment named “#1924819299.pdf.htm”. ...

**Computer security category of risk: human factors? ** The Sofia, Bulgaria, news site novinite.com is reporting that a city councilor in Bulgaria’s second largest city of Plovdiv was voted out of a city council committee because he wouldn’t stop playing Farmville during meetings. The Plovdiv city hall recently got wireless Internet and city councilors got laptop computers. Two weeks ago council chairman Ilko Iliev started to get irritated by council members playing Farmville during budget hearings. ...

In the security industry we often focus heavily on new technologies and shiny new software, and forget that so much of what we see is dependent on the person behind the computer. Today, a co-worker of mine was sent an email from someone she doesn’t know, with the following text: “I’m writing this with tears in my eyes,my fam and I came down here to Wales,United Kingdom for a short vacation unfortunately we were mugged at the park of the hotel where we stayed,all cash,credit card and cell were stolen off us but luckily for us we still have our passports with us. ...

There is a risk to computer security from governments. Regulatory changes, even if they are very positive measures, can impose huge demands on an enterprise (i.e. HIPPA, Sarbanes-Oxley, California’s law requiring notification of customers whose personal information is hacked on company sites.) The “government” risk can get no bigger than the clash of Google and the government of China over the censorship issue. The world suspects that the Chinese government or its proxies were behind a campaign of hacking against Google and other major U.S companies several months ago. Google reacted to the hacks by saying in January that it would stop censoring search results for web users in China. Monday it said it would move to Hong Kong. ...

“Dirty” or “Flirty” Ok. It’s an old formula for a successful business: pay girls to have fun with you. This time the schtick is getting on-line gamers to pay $8.25 (US) to play an online game with a female for 10 minutes. The women get to keep 40 percent. The site is GameCrush. It just opened last night and it seems to be a success (screen shots below.) “GameCrush is being touted as the first social site for adult gamers with the women online able to set their gaming mood to either ‘flirt’ or ‘dirt’, IGN reports. _ _ “The men online are known as Players and the women as PlayDates and Players pay to play while PlayDates get paid to play. _ _ “Players browse PlayDate profiles — of which there are currently 1200 — view photos and even chat with girls for free.” _ _ “At the moment it only supports Xbox 360 and some games on the GameCrush website. GameCrush plans to support PlayStation 3, Wii and World of Warcraft.” ...

We found this interesting and malicious little mechanism. The hosts file on a machine under investigation was modified to redirect the victim’s browser to a well known legitimate site (in this case google.com) whenever he attempted to contact a list of nearly 400 sites. The list was a “Who’s Who” of the anti-malware world – most places where someone with an infected machine would go to get help. The altered hosts file he found contained many lines beginning with ‘#’ followed by gibberish. These would be seen as comments by any browser and ignored. Concealed among the commented lines are lines containing the domain name redirections. When the commented lines are stripped, we find all the listed security related websites being redirected to “209.85.129.99” which is the IP address for google.com. ...

Yesterday there was a volcanic eruption in Iceland, near the Eyjafjallajoekull glacier, that has led the Icelandic authorities to declare a state of emergency in southern Iceland. People living nearby have been evacuated in case of glacial melt water flooding and the airspace near the now active volcano is effectively closed off. As you have probably already guessed, any event which commands a high level of public interest will be pounced on quickly by the makers of fake antivirus software in order to make a quick buck. This incident is no exception. ...

If you have children that play Neopets, you might want to warn them about this website or insert it into a blocklist of your choosing. The site is Neopoints(dot)tk, and promises lots of free Neopoints related items, with the help of a cute mascot called “Tuma the Draik”. I think there was a Norwegian prog rock group from the 70s called that, but I could be wrong. Of particular note here is the fact the site claims to offer “free magic paintbrushes”. These items are incredibly rare in Neopets land, and an excited child could easily wander into this particular trap as a result. ...

Do you know what the latest version of Adobe’s Flash Player is? If you don’t, you may very well fall for this: Flash Player 11? There are more than 3 million pages linking to this alleged version 11: Most pages are from unsanitized forums, but there is even a Google Ad for it! Ooooops…. The screen below depicts the social engineering trick: What appears to be an X-rated video with a Windows Media Player logo (that is odd!). ...