Sunday, February 27, 2011

A few "rogue" companies try to misuse Twitter notification system to send spam

Here we go again. I get a “Twitter notification” in my email on AOL.  I have to enable the link, and it is a link to a site to sell pharmaceuticals. Since I am on Mozilla, MyWOT intercepts the web page, grays it out, and warns me of a poor reputation, with adware and possible spyware, and an orange on trustworthiness. Webroot did not warn me about the site, and McAfee had it as unclassified.  On my setup, only Mozilla would catch this. 

The point is that some companies are using the “Twitter notification” to send ads of a questionable or, to some people, somewhat objectionable  nature.

Twitter does generate legitimate notifications when you have a new follower.  If you get a notification and your number of followers has not changed, consider that it may be a “phishing” or adware “notification” and you may not want to view it. This seems to be another trick for generating spam. 

Facebook (on IE in Windows) suddenly (at least apparently) redirects to "Social Rewards Survey" and gets caught in loop; the "misstyped domain name problem"?

Saturday evening, just as I was preparing to shut my laptop down and go out and "party", I checked Facebook on Internet Explorer and got redirected to a site like “socialsurveyrewards.com”.  The survey asked a few questions about satisfaction with social networking sites and then tried to offer me a choice of prize drawings, varying from iPhones to ringtones.  It asked for the cell phone number, which I probably foolishly gave, and then sent text messages with pin numbers to be entered, following by silly messages about “guessology.com” or  “bestmindquiz.com” or “Textea alerts”, and a quote “The eye of an ostrich is bigger than its brain” which I think comes from “The Bourne Identity.”   The site seemed caught in a loop and I could only get out of it by closing Internet Explorer.  I tried Facebook again in IE and got the same result. I did not see any evidence that the site was trying to sell fake anti-virus software. 

I then tried Facebook in Mozilla Firefox and got in (to my own “News Feed”) without interruption. I was in Windows 7; I haven’t yet tried Facebook on my new MacBook, but I doubt anything like this will happen. (Ever notice: media pictures of Mark Zuckerberg  always show him on a Mac, never a Windows machine.)
To investigate further, I tried the 877 number in the text( “1-877-707-6177”) and got “Mobile Media Solutions”.

Sunday morning, I ran a Webroot sweep and found only some new and unfamiliar spy cookies, which Webroot quarantined.

Since I already publish my cell phone number (but not my land line) on the Web, I don’t see any threat of abuse of the cell phone Blackberry account with Verizon. The app did not ask for passwords or any other information.

Nevertheless, such behavior when trying to bring up Facebook is perplexing. To say the least, Facebook should cut ties with whoever provides this intrusive survey.

I’ve tried Bing and Google searches on “socialrewardssurvey.com” and found very little, but at least one other user asking about this behavior. I can’t find a MYWOT or Site Advisor report for the site itself from search engines.

One grim, if remote, possibility is that this could have something to do with the 2008 threat to the domain name system, as reported in my "ID Theft" blog in August 2008; that had led to emergency international security meetings at Microsoft in July 2008. (Brian Krebs had a typical story about this problem at The Washington Post in August 2008 here.)


Update: Now it is looking like it might have been the result of a misspelled domain name "faceook.com" taking one to a survey site.  In any case, it's working OK in Internet Explorer today. 


Update: March 2: I got another text from "guessology" at 7:30 AM EST this morning. I hope this isn't the start of something. No, I don't need more ring tones. 

Thursday, February 24, 2011

McAfee Site Advisor rating smaller individually-owned sites as gray (untested) suddenly, after being green for years

I’ve noticed this morning that McAfee Site Advisor, on more than one of my computers, is showing all of my sites and blogs (doaskdotell.com, billboushka.com, and sixteen blogs on Blogger) as gray, or “untested”, even though the site repot says “a few users” and gives no negative information. (Actually, the reports also still have a notation at the bottom, now in gray, "this site is good" along with other unchecked indicators.) Until yesterday, to the best of my knowledge, these sites were green. Now McAfee says they are all queued for testing ("retesting"?) 

I tried some other blogs and flat sites (both Blogger, Wordpress, and others) operated by individuals  with relatively lower volume, and got the same result (gray).  I won’t “name names” here.  Some of them belong to musicians and small arts groups; but generally not larger corporations or other organizations. They may include so-called "mom and pop" or "mommy" blogs. (Don't worry, Heather Armstrong; your "dooce" blog is still green by SiteAdvisor.) 

Many of these sites (including mine) still rate green from  MYWOT. 

I tried a corporate blog from Roadside Attractions (an indie movie distributor) on Blogger and got the same result.   But the “Righthaven Victims” blogger entry still was green on Site Advisor. (By the way, Righthaven itself was rated yellow!  Weird. Read the report!).

Internet Explorer, Mozilla and Chrome all can show Site Advisor ratings. 

Have others noticed the same behavior of Site Advisor today?  The best browser to use to look at this problem is probably Mozilla.

Yahoo! “Safe Search” still shows these sites as OK.

My own traffic this morning is actually higher than usual, so the McAfee Site Advisor issue doesn’t seem to affect it.  But we want these site advisor products to work properly, because visitors ought to use them and look at them.

I can think of a good reason for "amateur" sites to go gray (or go "bald"); they tend to add lots of links without checking the links, and site advisory services consider the quality of secondary links offered.  McAfee may believe it cannot keep up with or vouch for secondarily linked sites, but it could add another color code saying (like blue or turquoise) meaning just that.  Corporate and government agency sites tend to do much less secondary linking and contain legal disclaimers for them.

McAfee offers a process of site owners to leave comments, which involves registering, and then FTP-ing a site in your root directory with that exact name (which is very long with random characters). I may try this later.  This would not work on free blogs not mapped to owned domains with A-records, so that’s another reason why it may be better to “own” all your own blog space rather than use “free” services from Blogger and Wordpress. 

If someone knows what is going on with Site Advisor, I’d appreciate a comment.  I’ll note on Facebook and Twitter, too.  Are we seeing the fallout of what Andrew Keen calls "the Cult of the Amateur"?

Update: March 1

Even Google's own corporate blog turned up as "gray" on McAfee Site Advisor this morning!

Wednesday, February 23, 2011

Facebook embraces https (as of late Jan.); do "ordinary personal sites" need https?


Okay, I changed my security settings on my own Facebook account today to make all use of the site https.  Really, the main place it matters is public places.  Facebook’s own blog entry, as of Jan. 26, is (website url) here and a typical commentary is here with a CNET video.


Should “ordinary” websites and blogs be required or “expected” to implement https?  They should if they require user login with password, or if they take credit card information or any other PII.  But if all you have is one-way content (text, pictures, videos) and you don’t require login for comments, it doesn’t seem necessary to me.


Tuesday, February 22, 2011

Don't use debit cards online at sites without https; beware of RFID-enabled cards

Monday, Feb. 21, Liz Crenshaw at NBC Washington reported on the dangers of shopping online with a debit card at sites that don’t use ecryption (https://). Two women reported having their bank checking accounts raided after ordering takeout food from a particular Chinese restaurant. In one case, the woman found a series of small charges that wiped out her account. Websites without encryption are prone to hacking when debit cards are used. This may be even more the case with wireless. And debit card use online is riskier because you already have the money.

It took the victim about ten days to get the money restored to her account.

No link or video is available yet.

But here’s a youtube video from “Boing Boing TV” in San Diego that shows that RFID-enabled cards (radio frequency enabled) actually decrease security, as someone shows how these cards can be read just by proximity, even when the victim is not processing a transaction. The only protection is a steel wallet. The video maintains that banks need to take more responsibility for centralized decryption of these devices. This would be particularly dangerous with debit cards.

But the main advice is still: don’t do business at sites without https.

Wednesday, February 16, 2011

Search engine companies fight malware placement; companies should expect intrusions to happen despite best efforts

Search engine companies, most of all Google, Bing and Yahoo!, have stepped up efforts to protect users from “search engine spam”, which designs web pages with malware or spyware to appear near the top of search engine results.   The story by Jeff Bliss appeared on Bloomberg today here. Google has particularly stepped up efforts in the past few months to identify “news spam” and other adware which may attempt to attract visitors with false rumors or fake imitations of known news sites.   Yahoo!, as we know, offers a Safe Search through Firefox.

The story notes that infected web pages from “legitimate” (non-porn) sources have increased markedly starting around 2006. 

The story appeared on Twitter.

Computerworld has a story by Jaikumar Vijayan advising that corporate network administrators should accept the reality that sometimes they will be infiltrated, and should focus on “behavioral” profiling rather than constantly looking for specific signatures, link here

Tuesday, February 08, 2011

Spammers emulate UPS, maybe FedEx

Here’s another wrinkle on Nigerian scams. I’ve gotten one purporting to be from UPS (since I do business at a UPS Store), offering a $1.5 UN check and just asking for an email to be sent to an address in Nigeria.  No sites to go look at to fill in info.  Weird.  I suppose the scammers will use FedEx, too.

AOL has not been too accurate in filtering out the spam, sometimes flagging legitimate renewal notices but not catching even most of the bank-emulating spam. 

Thursday, February 03, 2011

Former botnet operator still controls a half million email "credentials"

Although a ménage of domains operated by botnet Waledac was taken down after legal action by Microsoft some time back, its operators still control about 500000 email credentials, according to a story by Angela Mascaritito in SC Magazine, link here

The credentials are important because they would enable a spammer to bypass normal email verification protocols, which are supposed to stop simple sender spoofing. Then it could appear to recipients that the supposed sender really did send the spam email, which might have legal consequences.  

The story link was tweeted by Webroot early today.