News, Reviews and more from Australia's Macintosh Authority
News, Reviews and more from Australia's Macintosh Authority
ADVERTISEMENT
Some Facebook users have been infected with a worm after clicking on an image of a scantily clad woman, which then redirects the victims to a pornography site, according to security researchers.
The worm posts an image on a victim’s Facebook Wall with a photo of a woman in a bikini and the message “click ‘da button, baby.” Wall posts are viewable by a Facebook user’s friends.
If a friend clicks on the image and is logged into Facebook, the image is then is posted to their own Wall. Their Web browser will then open a Web page with a larger version of the same image. A further click on “da button” redirects the friend to a pornography site, according to Roger Thompson, chief research officer for antivirus vendor AVG Technologies. Thompson posted a video of the attack on his blog.
The creators of the worm are likely making money by driving referrals to the pornography site, said Nick FitzGerald, a threat researcher for security vendor AVG.
Researchers aren’t quite sure exactly how the worm works but believe it may be a cross-site request forgery attack (CSRF) or a clickjacking attack or a mix of both.
A CSRF attack occurs when a victim’s credentials are used to perform some action but without their knowledge. In this case, the attacker fraudulently posts the image to the victim’s Facebook Wall, piggybacking on the fact the victim is logged into their account.
Another possibility is clickjacking, where attackers use special Web programming to trick victims into clicking Web buttons without realising it.
Clickjacking is possible due to a fundamental design feature in HTML that allows Web sites to embed content from other Web pages. Web browsers are vulnerable to clickjacking attacks, although browser makers have worked to shore up defenses against them.
Facebook classifies the attack as clickjacking, an attack that is “not specific to Facebook,” according to a written statement. Facebook also said the attack was not a worm.
“We’ve taken action to block the URL (Uniform Resource Locator) associated with this site, and we’re cleaning up the relatively few cases where it was posted,” the statement said. “Overall, an extremely small percentage of users were affected.”
If the worm does spread through a clickjacking attack, “it may be difficult for Facebook to fix reliably,” FitzGerald said. “Regardless, it is a worm.”
Facebook warned users not to click on suspicious links. However, in this case, the link doesn’t stand out as necessarily suspicious given the variety of Wall postings, graphics and applications that appear all over the popular social-networking site.
In fact, one security researcher inadvertently reposted the suspect graphic before realising something wasn’t right. “This shows that even experts can become complacent and trust systems when they really shouldn’t,” wrote Gadi Evron, an independent security researcher, on Dark Reading’s blog.
Apple on Wednesday released an update to QuickTime, version 7.4.1. Available for download from the Software Update system preference, QuickTime is also available from Apple's downloads web site. Separate updaters have been posted for Mac OS X v10.3, 10.4 and 10.5. The update "addresses security issues and improves compatibility with third-party applications," according to Apple. Apple provided no additional details about those changes in the release notes, but confirmed that this update addresses a previously reported incompatibility between QuickTime 7.4 and Adobe After Effects. According to a separately posted note on Apple's web site, QuickTime 7.4.1 also includes a security improvement that can prevent a malicious web site from causing an unexpected application termination or arbitrary code execution.
Peter Cohen and Robert McMullen | Feb 7, 2008
If you're using Apple's Safari browser, PayPal has some advice for you: Drop it, at least if you want to avoid online fraud. Safari doesn't make PayPal's list of recommended browsers because it doesn't have two important anti-phishing security features, according to Michael Barrett, PayPal's chief information security officer. "Apple, unfortunately, is lagging behind what they need to do, to protect their customers," Barrett said in an interview. "Our recommendation at this point, to our customers, is use Internet Explorer 7 or 8 when it comes out, or Firefox 2 or Firefox 3, or indeed Opera." Safari is the default browser on Apple's Macintosh computers and the iPhone, but it is also available for the PC. Both Firefox and Opera run on the Mac. Unlike its competitors, Safari has no built-in phishing filter to warn users when they are visiting suspicious Web sites, Barrett said. Another problem is Safari's lack of support for another anti-phishing technology, called Extended Validation (EV) certificates. This is a secure Web browsing technology that turns the address bar green when the browser is visiting a legitimate Web site.
Robert McMillan | Feb 29, 2008
Phishers have targeted users of Apple's iTunes music store with sophisticated identity theft attacks for the first time, a security company said Tuesday. People began receiving spammed messages Monday telling them that they must correct a problem with their iTunes account, said Andrew Lochart, an executive with e-mail security vendor Proofpoint Inc. A link in the spam leads to a site posing as an iTunes billing update page; that phony page asks for information including credit card number and security code, Social Security number and mother's maiden name.
Gregg Keizer | May 21, 2008
Like Facebook before it, MySpace is having to take corrective steps to curb spam from applications built by external developers using its new application development platform. In a posting to the official MySpace Developers blog on Tuesday, MySpace President Tom Anderson announced changes to the application guidelines intended to prevent developers from building self-promotional features into their applications that result in intrusive and deceitful behaviour, such as generating unsolicited messages to other users or tricking application users into approving such actions.
Juan Carlos Perez | May 22, 2008
App Store developers will now be able to reach customers in 13 new countries, according to an announcement on the iPhone Developer Program news page.
