Video Screencast Help
Security Response
Showing posts for May of 2011
Showing posts in English
Nishant Doshi | 04 May 2011 12:48:33 GMT

Even before a user accepts the installation of a Facebook application, Facebook will send a limited amount of user data to the application’s website in order to help personalize your experience. Unfortunately, this user data includes information that users may not want to share without consent.

Facebook uses OAUTH2.0 as an authentication mechanism for its applications. When a user visits an iframe-based Facebook application (apps.facebook.com/yourapp) prior to installation, a POST request is sent to the third-party website hosting the application with the following data:

The ‘age object’ does not provide access to the specific age of the user, but it does provide a specific bracket. Three brackets are provided:

    13-17 (minage-13 or minage-13 and maxage-17)
    18-21 (minage-18)...

Eric Lin | 04 May 2011 10:09:29 GMT

Who was the one who held you in their arms when you let out your first cry in the world? Did you say “doctor?” Well, that may be true in some cases, but the more obvious answer is “mother.”

Dating back to ancient Greece, mankind held a festival worshiping Cybele, mother of the Greek gods. Mother’s Day is now celebrated around the world, mainly sometime in March, April, or May. The most common date is the second Sunday in May when, in most countries, mothers receive flowers and gifts in celebration of the day. How can spammers miss this special occasion when people are surfing the Internet to try and dig up a sweet surprise to express love and gratitude towards their mothers?

The following are Mother’s Day spam samples that Symantec has recently observed. There is a range of product spam, including flowers, watches, gift cards, and diet products. This latest spam campaign involved both dictionary and domain attack techniques,...

Samir_Patil | 03 May 2011 12:17:05 GMT

The first spam using the news of Osama Bin Laden’s death was seen in the wild within three hours of the event—Symantec reported this spam activity along with other spam samples in a blog entitled “Osama Dead” is No Longer a Hoax. As anticipated, we started observing a rise in malicious and phishing attacks.

Phishing attacks usually target big brands. In one such phishing attack capitalizing on Bin Laden news, spammers targeted CNN Mexico. The spam email contains a link to bogus “photos and uncensored videos” and redirects users to a phishing site:

The phishing site shows an auto-running Bin Laden related video in an iframe and asks the user to click on a link to download a “complete” video. Clicking on that link forces the download of an ....

Cathal Mullaney | 03 May 2011 10:42:57 GMT

We recently analyzed the source code of a malicious Apache Web server module that was using Apache filter functionality to infect HTML pages. This is a more active, complex, and unusual attack than simply infecting static Web pages on a Web server. The attack was unusual in that the Web server itself was the infection target. When a Web server is infected like this, every user that requests any Web page from that Web server is a potential victim. This is opposed to cases where static Web pages are infected with malicious code—only those specific pages put a user at risk of infection.

Symantec has a number of detections for HTML pages that have been modified to include links to malicious websites. Trojan.Maliframe!html, Trojan.Webkit!html, and...

khaley | 02 May 2011 21:12:21 GMT

It’s been a week since a senior official in Iran announced that they had discovered a new targeted attack aimed at them. The details of this attack are still vague. While Iran has labeled the attack "Stars", it’s not clear if it is Stuxnet-like in its complexity, target, or ultimate goals. Iran says they have not yet discovered it purpose. And it appears they have not shared malware samples with any outside security researchers.

If more details emerge, specifically a sample of the threat that can be examined by security researchers, or a hash of the suspected file so we can identify it in our sample set, we’ll examine it. Until then we can only speculate. So here goes: my thoughts on what possibly could be going on.

1. Iran has discovered the "Brother-of-Stuxnet"
Given the resources that were put behind Stuxnet, it shouldn't be surprising that more than one attack was planned. In product development,...

Samir_Patil | 02 May 2011 20:55:28 GMT

That’s right, and this time it’s not a hoax! Bin Laden was killed by a CIA-led operation on Sunday night at a mansion in Abbottabad, north of Islamabad. In 2004, Symantec reported a hoax email attack with the subject “Osama bin Laden Captured” which contain a link to a Web site that hosted malware. Similar attacks that used such false information about Osama Bin Laden were also distributed in 2005 and 2006.

News targeting famous/notorious personalities are often used in scams. At this moment, we at Symantec Probe Network are observing a huge inflow of legitimate messages carrying links to the news. However, in all likelihood, there will be an increase in spam volume targeting this news.

In one of the spam samples, the message is poisoned using the news of Osama’s death. The news snippet is glued in an HTML <title>...