[IS&T Security-FYI] SFYI Newsletter, March 9, 2009
Monique Yeaton
myeaton at MIT.EDU
Mon Mar 9 13:44:42 EDT 2009
In this issue:
1. Worm Invades Facebook and MySpace
2. Clickjacking
-----------------------------------------------------
1. Worm Invades Facebook and MySpace
-----------------------------------------------------
Facebook, MySpace and other social networking communities are under
attack by a new strain of the Koobface worm, which spreads by tricking
users into responding to a message, apparently sent by one of their
friends.
The message invites the recipient to click on a link and view a video
at a counterfeit YouTube site. Visitors are told they need to install
a bogus Adobe Flash plug-in to view the video. The bogus plug-in
installs a Trojan horse program that gives Koobface author(s) control
over the infected user's computer, hijacks the victim's social
networking account and uses it to send out additional invites to
spread the worm to the victim's friends and contacts.
The worm currently is spreading across other social networks as well,
including hi5.com, friendster.com, myyearbook.com, bebo.com, and
livejournal.com.
More information:
<http://voices.washingtonpost.com/securityfix/2009/03/koobface_worm_resurfaces_on_fa.html
>
[Article source: SANS]
------------------
2. Clickjacking
------------------
Clickjacking. One of the newest and most talked about, yet at the
same time one of the most secretive new buzz words in Internet
Security. Clickjacking is actually a rebrand of what was originally
called "UI (user-interface) Redress" and is an exploit in which
malicious coding is hidden beneath apparently legitimate buttons or
other clickable content on a Web site.
Clickjacking occurs when a malicious program is embedded into a Web
site. This program hovers invisibly under the user's mouse. Once the
user clicks, usually on a link but it can be anywhere on the page, a
new Web site may appear or software may be downloaded and clickjacking
has occurred. In some cases, the user may be able to recognize this
immediately; in other cases, the user may be totally unaware of what
took place.
There are a number of things that have major Web sites and companies
especially alarmed:
1) The program can run on virtually any Web site without the Web site
owner's knowledge or ability to stop it.
2) Clickjacking can take the user to a mirror site while still making
them believe they are on the Web site of the company and mine personal
information, often which is freely given.
3) No browser, except the very few that are not based on graphics
(such as the text-based browser Lynx™), is spared from these attacks
or comes with a way to protect the user from possible jeopardy.
In addition to stealing personal data, such as bank account
information, credit card information and Social Security numbers,
clickjacking can also install a number of software applications
(including harmful viruses, spyware or adware) on a computer without
the user's knowledge.
Details on how clickjacking works, other than the basic information
already listed, are being closely guarded. Browsers and Internet
security software companies are working on a security patch that would
help correct the situation. However, that may take some time. At the
moment, the onus seems to be on the web developers, to avoid writing
the type of scripts that can be exploited.
Users employing some sort of a solution will find that Internet
browsing will become different than what they are used to. There are
applications, such as NoScript™, that can block Java and script
applications from running on a browser, but this would render some Web
sites virtually useless, and you'd have to live with the consequences
of enabling Java or Flash when visiting Web sites that can't be viewed
without it.
Clickjacking was used to attack Twitter a few weeks ago:
<http://www.theregister.co.uk/2009/02/26/twitter_clickjack_attack/>
For tips on securing your web browser see the information provided by
CERT:
<http://www.cert.org/tech_tips/securing_browser/>
More information about clickjacking:
<http://www.brighthub.com/internet/security-privacy/articles/9740.aspx>
=========================
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://web.mit.edu/ist/security
---------------------------------------
Important: DO NOT GIVE OUT YOUR PASSWORDS!
Ignore emails asking you to provide yours. IS&T will *NEVER* ask you
for your password.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20090309/f2918f52/attachment.htm
More information about the ist-security-fyi
mailing list