Doc blocker : Oxford University blocked Google Docs

ox_small_cmyk_posFor about two and a half hours on Monday, students at Oxford University couldn’t access Google Docs after the University’s Computing Services team decided to take “extreme action” to halt phishing attacks and also to put pressure on Google.

Robin Stevens of OxCert explained in a blog post that, in the past, Google has been slow to respond to requests to help the university. The university’s problem is that phishers are frequently using Google Docs to present phishing forms to its users, with a legitimate domain shown to the user and not detectable by firewalls as Google traffic is over SSL. If phishing mail directing users to pages like this gets past the defenses, it is hard to detect and respond to.

Google’s security team have pointed the university at the “Report Abuse” button at the bottom of the Docs pages, but this takes time, at least a day or two and sometimes weeks, before Google respond. By that time the phishing attack is long gone; any users who would have been fooled will have most likely clicked a link within hours of the dubious mail arriving.

On Monday afternoon, the security team at Oxford were seeing multiple phishing incidents taking place and that tipped things over the edge; after considering the impact on legitimate business, it blocked Google Docs to prevent the phishing attacks deploying their information extracting forms. Stevens says the impact was actually greater on legitimate business than expected due to Google’s tight integration of Docs with other services, so, after two and a half hours, the restrictions were lifted.

He hopes that the temporary block will at least draw attention within the university to the dangers of phishing. He also hopes that Google will, with the resources at its disposal, find some way to automate responses to abuse reports. He closes saying “Google may not themselves be being evil, but their inaction is making it easier for others to conduct evil activities using Google-provided services.”


Adult Phishing Scams Haunt Aura Kasih


Symantec: Phishers continue to target Indonesian celebrities with adult scams. Phishing attacks on rock star Ahmad Dhani have already been seen. In July 2012, Symantec observed a phishing site that claimed to have an adult video of Indonesian actress and singer Aura Kasih. The phishing site spoofed a social networking brand and was hosted on a free Web hosting site.

The adult scam came in light of a recent scandal surrounding the singer. An adult video, allegedly of Aura Kasih and pop star Nazril Irham, has been circulating recently in Indonesia over the internet and mobile phones. It is rumored that the video started appearing after Nazril Irham’s laptop was stolen.

Phishers created the phishing site with an image of a video link of Aura Kasih. A message in Indonesian on the image prompted users to login to view the video. The message also mentioned that the video was provided in secret by the social networking site and asked users not to distribute the video. A logo of the social networking brand was placed towards the image on the left with the caption, “Download Video”. After users entered their  login credentials they were redirected to an Aura Kasih blog page. The blog page contained several fake links giving the impression that clicking them would lead to adult videos of the singer.

Phishers are constantly monitoring current events to incorporate them into their phishing sites. They perceive that by doing so, the phishing sites look more authentic which improves their chances of harvesting user credentials. If users fall victim to the phishing site, phishers would have successfully stolen their information for identity theft. The strings contained in the phishing URL indicate that the video in question is available after logging in.

The phishing URL is:



Internet users are advised to follow best practices to avoid phishing attacks:

Phishers Offer Fake Storage Upgrades

Symantec Connect: Customers of popular email service providers have been a common target for phishers for identity theft purposes. Phishers are constantly devising new phishing bait strategies in the hope of stealing user email addresses and passwords. In April 2012, Symantec observed phishing pages that mimicked popular email services in an attempt to dupe users with attractive storage plans.

Customers were flooded with fake offers of free additional storage space for services such as email, online photo albums, and documents. In the first example, the phishing site was titled “Welcome to New [BRAND NAME] Quota Verification Page”. According to the bogus offer, the additional storage plan ranged from 20 GB to 1 TB per year, at no extra cost. The phishing page boasted that the free additional storage plan will help customers prevent loss of data and the inability to send and receive emails due to exhausted storage space. It also stated that the plan will auto-renew each year and the customer can choose to cancel at any time by returning to the same page:


To avoid customer suspicion when the bogus offer doesn’t materialize, phishers used a time-buying strategy. They indicated that customers would be contacted 30 days prior to renewal and also that the upgrade process will take effect in a 24-hour time span. After user credentials are entered, the phishing page redirected to a page which confirmed the upgrade was initiated and complete. The phishing page then redirected back to the legitimate service website:


Similar phishing pages were observed spoofing other email services. The phishing site in this second example is titled “Obtain Free Additional Storage”. The same bait was used here as well:


To gain customer trust, the email address field was auto-populated on the fake page and is also concealed in the query string. Looking deep into these scams, it is evident these phishing scams are targeted attacks. By randomizing the email address in the query string of the phishing URL, the same phishing page can be used for targeting multiple users. Below is the URL format:


Internet users are advised to follow best practices to avoid phishing attacks:

  • Do not click on suspicious links in email messages.
  • Avoid providing any personal information when answering an email.
  • Never enter personal information in a pop-up page or screen.
  • When entering personal or financial information, ensure the website is encrypted with an SSL certificate by looking for the padlock, ‘https’, or the green address bar.
  • Frequently update your security software which protects you from online phishing.

Scam for FC Barcelona Fans

Symantec Connect: Phishers often choose baits with the motive of targeting a large audience. Using popular celebrities as bait is a good example. Phishers understand that choosing celebrities with a large fan base would target the largest audience and supply more duped users. This month phishers are using the same strategy but, instead of targeting a popular celebrity, they associated their phishing site with the popular FC Barcelona football club. FC Barcelona is the world’s second richest football club and has a large fan following. The phishing site, hosted on a free web hosting site, has since been removed and is no longer active. However, though phishing sites are frequently short-lived, internet users should be aware that other phishing sites using this or a similar template could easily be encountered in future.

article thumbnail

The phishing site prompted users to enter Facebook login credentials while the page content was designed to highlight the football club. The phishing page was titled “facebook F.C.B.” and the background contained an image of Javier Mascherano who plays in the defensive midfielder position for FC Barcelona. The fake page also contained the official logo of the football club (in the bottom left). After login credentials are entered, the phishing site would redirect to the legitimate Facebook community page for FC Barcelona. The purpose of redirecting to a legitimate page is, of course, to create the illusion of a valid login. If users fell victim to the phishing site by entering their login credentials, phishers would have successfully stolen their information for identity theft purposes.

Internet users are advised to follow best practices to avoid phishing attacks:

  • Do not click on suspicious links in email messages.
  • Avoid providing any personal information when answering an email.
  • Never enter personal information in a pop-up page or screen.
  • When entering personal or financial information, ensure the website is encrypted with an SSL certificate by looking for the padlock, ‘https’, or the green address bar.
  • Frequently update your security software (such as Norton Internet Security 2012) which protects you from online phishing.

Phishers Dislike Facebook Timeline

Symantec Connect: Phishers regularly introduce new types of fake applications with the motive of improving their chance to harvest user credentials. In February 2012, Symantec observed a phishing site recommending a fake application that allegedly removes “Timeline” profile for Facebook users. The phishing site was hosted on a free web hosting site.


The phishing site embedded the Facebook Timeline promotion video from YouTube, with the claim “Remove Timeline Now”. According to this phishing site, users will have their “Timeline” removed from their Facebook profile and get back their old profile page—only after they enter their login credentials. To make the fake application look more authentic, phishers added that it was protected by an antivirus product with the logo of the antivirus brand placed below the login form. After user credentials are entered, the phishing page redirects to a page which displays a screenshot from the Facebook Timeline promotion video. If users fell victim to the phishing site by entering their login credentials, phishers would have successfully stolen their information for identity theft purposes.


Internet users are advised to follow best practices to avoid phishing attacks:

  • Do not click on suspicious links in email messages.
  • Avoid providing any personal information when answering an email.
  • Never enter personal information in a pop-up page or screen.
  • When entering personal or financial information, ensure the website is encrypted with an SSL certificate by looking for the padlock, ‘https’, or the green address bar.
  • Frequently update your security software (such as Norton Internet Security 2012) which protects you from online phishing.

This time, the bad guys want your tax accountant

avast: While taxpayers are the regular target of springtime malware schemes, this year the bad guys are aiming for the accountants.

A series of imposter emails are threatening recipients with the removal of their professional accreditation if they fail to respond promptly. The tax-phish appear to be from organizations such as the American Institute of Certified Public Accountants(AICPA), Better Business Bureau(BBB), and Intuit tax services.


After clicking on the email, users are redirected through a hacked legitimate site to the final malware distribution center where their computer can download fake antivirus or another malware package selected by the bad guys.

This spam campaign started in the last week of February. A tax-themed attack is a traditional feature of March and April as Americans prepare their income tax returns.

The tax-time malware is the latest example of the BlackHole Exploits Kit at work – and shows that the bad guys’ graphic and language skills are improving.

The BlackHole Exploits Kit is a set of code available to bad guys on the black market. The Kit primarily focuses on JavaScript vulnerabilities. The Kit is used to spread malware such as Zeus botnets, rootkits, or fake antivirus packages. BlackHole has been continually improved since the first version surfaced in August 2010. Not only does BlackHole remove competing malware, it also comes with an option for the bad guys to test its efficiency against the major antivirus suppliers. That is real criminal quality assurance.


From the graphic perspective, the email is visually attractive, even including a fake sending address and is in reasonably good English. And, they even used the correct top level domains for the AICPA and BBB addresses.

The payload of this is most likely a fake antivirus. However, one of the technical attractions of BlackHole is that it is quite easy for the bad guys to change the payload and the redirector sites. So, it could really be anything.

So, watch where you click.

Phishing via NFC

At the RSA Conference 2012, McAfee’s Chief Technology Officer, Stuart McClure, and several of his colleagues, have demonstrated a whole range of different attacks on mobile devices. For example, they demonstrated an attack on an NFC (Near Field Communication)-enabled smartphone: the attacker simply attaches a modified NFC tag to a legitimate surface such as an advertising poster. For their live demo, the researchers used a Red Cross donations appeal such as those seen at bus stops in various cities across Europe.

The poster’s regular NFC tag took the browser to the Red Cross donations web site, where the donor’s details could be recorded. However, the modified secondary tag diverted the smartphone browser to a phishing site that pretended to be part of the Red Cross. McClure said that such attacks have already been observed in the wild.

The researcher also demonstrated how to take control of an iPad. When a victim clicks on a link in an email, a PDF file is downloaded, and malware is installed without the user’s knowledge via a vulnerability in the iOS code for processing PDFs. Although the attack is based on a vulnerability that has long been closed by Apple, the expert said that he assumes that newer iOS versions will continue to be vulnerable via jailbreaks.

Once a device has become infected, it establishes a connection to the command & control server and transfers, for example, its location. One click on the symbol that is displayed in Google Maps on the attacker’s system gives access to several options: to retrieve the SMS database, record the device environment using the microphone, or access the key chain. The key chain contains any passwords for applications and online services that are stored on the device.

Source: H-Security

Beware of spam this Valentine’s Day

SophosLabs: It’s Valentine’s Day tomorrow and the spammers are out in force to make the most of unwitting shoppers on the international day of love.

Looking to buy a present for someone this Valentine’s Day? Ooh look what popped into my inbox, an email inviting me to buy my Valentine an *ahem* “romantic” gift.


Valentine's Day, the 14th February, is the day we celebrate our feelings of affection for our boyfriends, girlfriends, husbands and wives. It is traditional to do this with a special romantic gift. Looking for a Valentine's Day Gift for him or the perfect token of love for her? Look no further than here!

Or if you fancy a quick makeover before the big day of love, there’s an offer for that too.


How would you like to look and feel your best this Valentines Day? Now you can by taking years off your face with a one of a kind Winter beauty makeover. Enter to win your makeover

Of course you shouldn’t click on any of these links unless you want to line the pockets of the bad guys.

But it’s not just spam, in previous years we’ve reported on Valentine Facebook scams, SMS scams and malicious ecards targeting the romantics among us.

Remember to always be suspicious of unsolicited emails carrying links and attachments.

And don’t get swept away in the moment and click on something you shouldn’t, or you might be left with something nasty long after the love has gone.

Phishers Bank on Tax Season

Sunbelt: With the U.S. currently in tax season, online criminals have, once again, sought to take advantage of this. Robert Stetson, one of Sunbelt’s malware researchers, spotted a phishing email posing as Intuit Inc., a company that “develops financial and tax preparation software”. They developed Quicken and TurboTax. Below is a screenshot of the said email:


Email details are as follows:

Subject: Please verify your tax information ASAP.
Message body:
Good afternoon,

With a view to agree that exact data is being kept up on our systems, as well as to be able to give you better quality of service; INTUIT INC. has taken part in the Internal Revenue Service [IRS] Name and TIN Matching Program.

We have found out, that your name and/or TIN, that is specified on your account does not correspond to the data on file with the Social Security Administration.

In order to verify the information of your account, please enter the secure section.


Corporate Headquarters
2632 Marine Way
Mountain View, CA 94043

Clicking the link leads readers to download a Blackhole exploit.

Our friends at Sophos found a variant of this phishing email.

This is not the first time that online criminals have taken advantage of the U.S. tax season. In light of phishers banking on brands as a part of their social engineering ploy, legitimate companies such as Intuit Inc. does not normally send out emails of this nature. In fact, Intuit Inc. have made it a point to make clear to their clients what they will do and what they will not do in the context of sending out emails. Intuit clients are wise to take note of this point under the “What we’ll do” section: If we need you to update your account information, we will request that you do so by logging into your account.

It is important that you, dear Reader, are familiar with how your service providers conduct their services and how they respond to online threats that target them. Equally, these providers must be responsible in informing you of the latest threats affecting you and their brand and provide ways on how you can protect yourselves from such threats.

Megaupload, up again? no

GFI: You’re probably aware that Megaupload has wandered into what can only be described as a bit of a pickle, assuming said pickle is roughly the size of a Vogon Constructor Fleet.

Given that lots of people probably want to take a peek at the FBI Anti-Warning currently pasted across the front of (or maybe even just see if the site is back online), it’s a fair bet that Ye Olde Typo Fairy will be called into action and some of them will end up going to Megaupload(dot)cm.

You can see what they did there.

On the basis that Wikipedia hasn’t gone dark for a day or covered itself in pictures of Jimmy Wales, we can see that the .cm TLD is intended for domains connected with Cameroon. Typosquatting seems to be a bit of a thing:

 In a report published in December 2009 by McAfee, “Mapping the Mal Web – The world’s riskiest domain”, .cm was reportedly the riskiest domain in the world, with 36.7% of the sites posing a security risk to PCs. [5] It is widely assumed that malicious domain programmers rely on inadvertent misspellings of well-trafficked websites ending in “.com” to lure unsuspecting users to their domains.

Registered back in 2009, Megaupload(dot)cm takes you a site located at surveytakelive(dot)com, which tells us via the method of popup box that there are prizes up for grabs and you’ll have to fill in some personal information.

Next up, you have to pick one of the three options presented. I went with the Love Thermometer, mainly because it’s called the Love Thermometer and also has a graphic of a baseball bat.

Hitting the Love Thermometer button takes us to a promo located at enterfactory(dot)com, which turns out to be a mobile phone promotion costing various amounts of cash per day until the user unsubscribes.

The adverts served are region specific – the above are what you’ll see if in the Philippines, whereas visiting from the US will result in iPad, Walmart and Visa giftcard offers instead.

Be mindful of what you’re typing into the URL bar, and let me know if you discover what the Love Thermometer actually does…