STE WILLIAMS

Agentless Backup is Not a Myth

Exclusive Tumblr’s iOS app fails to log users in through a secure (SSL) server, it has emerged. As a result users’ plaintext passwords are exposed to anyone able to sniff traffic on any Wi-Fi network an iOS user happens to use to connect to the popular cats’n’grumble free-content platform.

The wide-open security howler was discovered by a Reg reader during the course of auditing for his employer which iOS apps were permissible for use on corporate smartphones.

“I was asked to investigate various iOS apps at work to see if they are suitable for company use (no unauthorised access to company data, contacts, etc),” he explains.

“It has been a slow process of checking what the app does through Wireshark, seeing it sends some of my data to third party analytics companies, not seeing any mention of it on the companies Terms of Service, emailing the company and getting a response several weeks later stating they will update their ToS to reflect what the iOS app actually does.”

As part of this process our man was asked to review Tumblr as a possible app that could be installed on users’ work iPhones. Checking www.cluefulapp.com appeared to give Tumblr a clean bill of health. However he had a shock when he checked the network traffic. Screenshot here (note – email address used was disposable and password has been changed, our source assures us).

“The Tumblr iOS app is sending the password over plain text and not over SSL,” our source explained, clarifying “we are not talking about password reminders but about just opening the app and logging in through the iOS app.”

“This occurs when you first log into the application, although I didn’t check past the initial logon screen,” he added.

The same network traffic checks on a Mac revealed that login to Tumblr in this case was passed through a secure server, which avoided the exposure of username and passwords in plain text.

In all the iOS app testing our source carried out, he removed the SIM card so all the data travelled across a Wi-Fi network. The risk posed by the behaviour is obviously more severe if the Wi-Fi network being used is open and insecure, as is often the case with Wi-Fi hotspots in travel hubs such as airports and train stations, hotels and coffee shops.

Our source only came to El Reg with the issue after failing to get it resolved by simply reporting it to Tumblr’s support team.

Dodi Glenn, director of security content management at ThreatTrack Security, confirmed that the Tumblr iOS failed to pass initial logins through a secure server.

“For an application like Tumblr, there should be no reason not to pass the login information over SSL,” Glenn told El Reg. “We simply ran a firewall on a device in order to get some visibility of where the login process was going. Our investigation, though not scientific, suggests that it has one SSL connection but not at the point of logging in.”

The FireSheep network sniffing tool made it childsplay for anyone to capture your session log-in cookie from users on the same insecure wireless network. The appearance of the tool prompted sites like Twitter and Gmail to offer encrypted versions of their services via HTTPS connections. But at a time when always-on encryption is becoming more widespread Tumblr is failing to apply any encryption for the most sensitive part of the process, the initial login, for users of its native iOS app.

We’ve reported this issue to both Tumblr and Yahoo, which completed its acquisition of the micro-blogging service last month, but are yet to get anything more than an acknowledgement of receipt from either party. We’ll update this story as and when we hear more. ®

Updated to add

Last night Tumblr released “a very important security update” for its iPhone and iPad app that fixes “an issue that allowed passwords to be compromised in certain circumstances”. The sex-blog platform also urged users to change their passwords on Tumblr and anywhere else they’ve used the same password.

Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/17/tumblr_ios_uncryption/

Agentless Backup is Not a Myth

Sony has begrudgingly abandoned its fight to contest a £250,000 fine handed down by the Information Commissioner’s Office after its massive 2011 PlayStation Network data breach.

The Japanese electronics giant was slapped with the fine back in January for breaching the Data Protection Act after the personal info of millions of Brits – including names, addresses and account passwords – were stolen by hackers who infiltrated its PlayStation Network systems.

Sony has now decided not to fight the fine, despite still strongly opposing it, because of fears the Information Rights Tribunal would have forced it to divulge sensitive details about its network security set-up.

“This decision reflects our commitment to protect the confidentiality of our network security from disclosures in the course of the proceeding,” a Sony spokesman told the BBC.

“We continue to disagree with the decision on the merits.”

Back in January, the ICO concluded after an investigation that the breach of around 70 million gamers could have been prevented if Sony had taken best practice security measures such as hashing and salting log-ins and keeping system patches up to date.

Deputy commissioner David Smith said in a statement released at the time:

There’s no disguising that this is a business that should have known better. It is a company that trades on its technical expertise, and there’s no doubt in my mind that they had access to both the technical knowledge and the resources to keep this information safe.

The £250,000 fine is one of the biggest ever doled out by the ICO, although it can’t top the £375,000 handed down to Brighton and Sussex NHS Trust after patient records were stolen from a hospital and put on eBay. ®

Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/17/sony_ico_fine_accepted/

Cloud storage: Lower cost and increase uptime

Revelations of US spooks monitoring the internet have freaked out consumers so much that privacy protection software will be The Next Big Thing.

That’s according to antivirus firm AVG, which reckons the market for products that safeguard online freedoms will be huge.

Siobhan MacDermott, chief policy officer at the company, said AVG was preparing for a future in which privacy software is a big part of its business alongside its malware-busting tools. The security expert was astonished by the reaction to the scandal of the web-snooping NSA PRISM project, which left consumers feeling “violated”.

She predicted a world in which consumers were obsessed with protecting their own digital communications from prying eyes, as well as making sure their kids aren’t press-ganged into handing over reams of sensitive data to fraudsters and other undesirables.

MacDermott has been in discussions with five major banks, including Goldman Sachs, Morgan Stanley and JP Morgan, about how best to tackle this emerging market. She asked them to estimate the size of the burgeoning privacy sector – and they had no idea.

“I asked them to size up the privacy market and all five told me that although they knew it was huge, they couldn’t yet give me a proper estimate of its size,” MacDermott said. “They were super-excited though, because there are a lot of new companies popping up in this space.

“My argument is that privacy will soon rival cyber-security in terms of market share. It’s about device control and protecting the online experience. It’s a nascent industry, so we’re still in the awareness phase and initial products phase. It’s going to be a big industry.”

Earlier this year, AVG bought a firm called Privacy Choice, which offers a simple way to manage the privacy settings of software on their computer.

And Microsoft started bundling anti-malware software called Defender within Windows 8, causing some consternation among security firms, who stood to lose business.

MacDermott isn’t too worried that this will kill off her firm’s security division.

“Anti virus isn’t going to go away,” she continued. “Privacy will definitely grow faster, as its a nascent market versus a mature one, but security is in our DNA. Privacy will just be another layer on top of that.”

There would have to be international discussions on protecting citizens’ online privacy soon, MacDermott predicted, due to the differences in opinion between leaders in Europe, America and beyond.

“There is no common ground between Europe and America on issues like government surveillance,” she said. “In Europe, people remember a time when you could be killed for having the wrong political beliefs or religion. The people who run Facebook and other big social media companies don’t have that baggage, so privacy can be something of an abstract concept to them in a way it isn’t in Germany, for instance, with memories of the Stazi and Nazis.”

Pirate Bay co-founder Peter Sunde recently persuaded punters to donate at least $110,000 to start up an encrypted chat service called Heml.is, which will supposedly have tough encryption to keep spooks from snooping on one’s electronic nattering. He joined a growing number of firms looking to create the ultimate secure communications platform.

Sunde said: “We’ve decided to build a messaging platform where no one can spy on you, not even us.”

However, all the best encryption in the world may not be enough to totally keep the spooks at bay. Documents released by Edward Snowden show that the NSA’s creepy PRISM programme is more likely to store communications for a rainy day if they are encrypted. ®

Steps to Take Before Choosing a Business Continuity Partner

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/17/avg_privacy_story/

Magic Quadrant for Enterprise Backup/Recovery

Microsoft has written to the US Attorney General asking him to let the company be more open about what information it hands over to the NSA, and has published a rebuttal of the claims from NSA whistleblower Edward Snowden about the privacy of its users.

“The Constitution guarantees the fundamental freedom to engage in free expression unless silence is required by a narrowly tailored, compelling Government interest,” said Microsoft’s general counsel Brad Smith in a somewhat groveling letter to AG Eric Holder.

“It’s time to face some obvious facts,” Smith wrote. “Numerous documents are now in the public domain. As a result, there is no longer a compelling Government interest in stopping those of us with knowledge from sharing more information, especially when this information is likely to help allay public concerns.

Smith also published a blog post in which he rebutted claims that Microsoft has built backdoor access for federal investigations into some of its most popular software and services. Snowden’s evidence has been misreported, Smith said, and Microsoft wants to set the record straight.

Possibly the most damaging allegation is that Microsoft installed a backdoor in the encryption system used in Outlook.com. Snowden’s documents indicate this was installed at the request of the NSA and developed by Microsoft in conjunction with the FBI.

“We do not provide any government with direct access to emails or instant messages. Full stop,” Smith said. “We do not provide any government with the technical capability to access user content directly or by itself. Instead, governments must continue to rely on legal process to seek from us specified information about identified accounts.”

When Microsoft receives a valid information request from law enforcement, it has no need to disable the encryption of messages, Smith said. Instead, Microsoft can take the data from its own servers (where it sits unencrypted) and then pass it on if legally required to do so.

As for Microsoft’s cloud service SkyDrive, Smith said that – like any other cloud provider – Redmond has to obey legal requests for data. The company had made changes in SkyDrive this year to “comply with an increasing number of legal demands governments worldwide,” but he said direct access to the system’s servers by analysts is not given.

Skype users should stop worrying as well, Smith suggested, and denied Snowden’s claims that Microsoft had made changes to Skype so that investigators would get easier access to call data, saying changes like the shift to supernodes and storing Skype IM data on Redmond’s own servers were simply improvements to Microsoft’s back-end systems.

“As Internet-based voice and video communications increase,” Smith wrote, “it is clear that governments will have an interest in using (or establishing) legal powers to secure access to this kind of content to investigate crimes or tackle terrorism. We therefore assume that all calls, whether over the Internet or by fixed line or mobile phone, will offer similar levels of privacy and security,” he said.

Smith also took special care to reassure Microsoft’s business and government customers that none of their data has been given to the government for national security purposes, although it does deal with a small number of criminal investigation requests, including four last year. Microsoft’s encryption of such data has no backdoors, he said, and Redmond doesn’t share encryption keys with government.

“The United States has been a role model by guaranteeing a Constitutional right to free speech. We want to exercise that right,” Smith concludes. “With U.S. Government lawyers stopping us from sharing more information with the public, we need the Attorney General to uphold the Constitution.” ®

Cloud storage: Lower cost and increase uptime

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/16/microsoft_denies_it_gives_backdoor_access_to_outlook_encryption/

What you need to know about cloud backup

Russian president Vladimir Putin has described NSA whistleblower Edward Snowden as an unwanted “Christmas present” from America – and hinted that the cornered geek, still hiding out in a Moscow airport, will stop leaking details about US internet surveillance programmes.

Snowden is understood to be seeking political asylum in the former Soviet nation to escape any extradition attempt by Uncle Sam. But Putin has made it clear that will only be possible if Snowden “ceases his work aimed at inflicting damage on our American partners”.

Now the Russian premier has signalled that the ex-CIA technician may have changed his mind about leaking more sensitive American documents.

The world’s most exciting IT worker flew to Moscow’s Sheremetyevo airport from Hong Kong on 23 June, hoping to find asylum or at least safe passage to a sympathetic nation.

But the US has extradition agreements or at least friendly relations with most of the countries over whose airspace such a flight would travail, leaving him trapped and unable to flee to sanctuary in South America (here’s El Reg‘s take on how it could be done – aka the Snowden flights boardgame).

The outdoorsy (cough) Russian president discussed Snowden’s plight during a visit to the Gulf of Finland, in which he was planning to boost his action man credentials with a deep sea dive in a submersible craft.

He told students that Snowden was an unwanted “Christmas present” from the United States and said it was not yet clear which country would take him in.

The Russian President said: “How should I know? It’s his life, his fate.

“He came to our territory without invitation. And we weren’t his final destination… But the moment he was in the air… our American partners, in fact, blocked his further flight. They have spooked all the other countries, nobody wants to take him and in that way, in fact, they have themselves blocked him on our territory.”

Putin said he hoped that Snowden would leave, but reiterated that the country would offer him sanctuary on the proviso that he give up all political activity.

As soon as there is an opportunity for him to move elsewhere, I hope he will do that,” Putin continued.

“The conditions for (Russia) granting him political asylum are known to him. And judging by his latest actions, he is shifting his position. But the situation has not been clarified yet.”

Russia’s Interfax news agency reported that Russian officials had not yet received Snowden’s formal application

Last Friday Snowden, 30, met with human rights campaigners in the airport he is currently calling home. He told them that he was looking to seek temporary asylum in Russia before moving on to a different country. A lawyer told Russia’s Interfax news agency that Snowden was currently seeking advice on the matter.

The whistleblower’s mood may have been buoyed by news that Professor Stefan Svallfors, a Swedish academic, has written to the Norwegian Nobel Committee calling for him to be given a peace prize.

The sociology professor, who works at Umeå University, said that Snowden had made a “heroic effort at great personal cost” by revealing the existence of a shadowy US surveillance network.

His letter, published in a Swedish newspaper, read:

Through his personal efforts, he has also shown that individuals can stand up for fundamental rights and freedoms. This example is important because since the Nuremberg trials in 1945 has been clear that the slogan “I was just following orders” is never claimed as an excuse for acts contrary to human rights and freedoms. Despite this, it is very rare that individual citizens having the insight of their personal responsibility and courage Edward Snowden shown in his revelation of the American surveillance program.

The professor claimed giving Snowden the prize would redeem it from the “disrepute” incurred by what he called the “hasty and ill-conceived decision” to give President Barack Obama the award in 2009. ®

Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/16/from_russia_with_no_love_lost_edward_snowdens_time_running_out/

Magic Quadrant for Enterprise Backup/Recovery

Analysis Security researchers in China claim to have uncovered a second Android vulnerability that might be abused to modify smartphone apps without breaking their digital signatures.

The flaw, discovered by the “Android Security Squad”, stems from a Java-based issue (explained on a Chinese language blog here, Google translation here).

The vulnerability is similar to the so-called master key vulnerability recently announced by researchers from mobile security start-up Bluebox Security and due to be explained in more depth in a upcoming presentation at Black Hat in Las Vegas at the start of next month.

Bluebox first notified Google about a potential problem back in February, months prior to going public on the issue.

The practical effect of both flaws is the same: miscreants could upload Trojan-laden versions of Android application packages (.APK files) onto online marketplaces. These backdoored apps would carry the same digital signature as undoctored copies of the APKs.

The Chinese discovery is a “different approach to achieve the same goal as with the previous exploit,” Pau Oliva Fora, a mobile security engineer at ViaForensics, told Computerworld. Oliva Fora put together a (harmless) proof-of-concept exploit based on the Bluebox vulnerability last week.

Pack RAT

Bluebox Security has avoided going into details prior to its upcoming Black Hat presentation on 1 August but the work of Oliva Fora and other security researchers has revealed that the current Android app security shenanigans stem from duplicate filename trickery in Android application installer files rather than something more esoteric, such as a hash collision.

Android installation packages are compressed in containers that work like ZIP archive files. Regular ZIP utilities generally prevent you from having two files with the name in one archive but the ZIP format itself doesn’t preclude duplicated filenames – so with a bit of hacking and tweaking, you can fairly easily create a utility to build an archive with repeated filenames.

It’s this behaviour that spawns the vulnerability discovered by Bluebox Security, explains anti-virus veteran Paul Ducklin in a post on Sophos’ Naked Security blog.

“Android’s cryptographic verifier validates the first version of any repeated file in an APK archive, but the installer extracts and deploys the last version,” Ducklin explains. “In other words, the APK passes its cryptographic tests at install time, even though what gets installed is bogus.”

Chinese whispers

The Chinese vulnerability creates a means for miscreants to inject code into the headers of APKs without screwing with digital signatures. However the potential of the attack is limited because targeted files (of the type classes.dex) need to be smaller than 64K in size.

Google has already released a security fix to smartphone manufacturers covering both the Bluebox master key vulnerability and the flaw uncovered by the Chinese researchers, according to a statement from Jeff Forristal, CTO of Bluebox, received in response to our inquiries into the issue.

Bluebox had already sent disclosure to Google regarding the additional vulnerability discovered, prior to it being publicized in the referenced blog post. A (second) patch has already been released publicly (AOSP, Android Open Source Project) to Google partners, although it is a bit too early to expect partners to have firmware updates containing the second patch ready for devices. A statement from Google indicates they scan for this vulnerability too in the Google Play Store, but Bluebox has not verified that statement.

Google has yet to respond to The Register‘s request for a comment on the vuln, so it remains unconfirmed whether or not Mountain View scans for modified applications that exploit either of the two vulnerabilities in its official Google Play store. Effective scanning would be little more complex than looking for duplicate filenames in APK files.

Stay away from those third-party apps

Google recently banned Google Play Store apps from updating outside the Play update mechanisms, as tech analysis blog GigaOM was among the first to note, so at least some protection is already in place.

Filters on Google Play don’t do much to help users who install Android apps from third-party stores, of course.

Consumers and business users of Android devices won’t really be protected until manufacturers roll out the Android software updates. Samsung is already pushing out a patch but other OEMs might be slower to react – and the whole process might take weeks, if not months.

Bluebox reckons 99 per cent of Android devices are vulnerable to the master key flaw. And that’s without even considering devices out there that are still in use but no longer supported.

Almost all Android devices are vulnerable, since the vulnerability has existed since Android 1.6 (Donut), and only the Samsung Galaxy S4 has been patched to protect against it, Trend Micro warns.

A blog post by Trend providing an additional perspective on the problem, and taking issue with Bluebox’s description of it as a master key vulnerability, can be found here.

“This vulnerability can be used to replace legitimate apps on an Android device with malicious versions,” explains Jonathan Leopando, a member of Trend’s technical communications team. “Apps with many permissions – like those from the phone’s manufacturer or the user’s service provider – are at particular risk.

“Once on the device, they can behave in the way that any malicious app would, except the user would think they were a completely legitimate app. For example, a modified/Trojanised app for a bank would continue to work for the user, but the credentials would have been sent to an attacker,” he adds. ®

Cloud storage: Lower cost and increase uptime

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/16/android_sig_vuln_analysis/

Magic Quadrant for Enterprise Backup/Recovery

Miscreants have brewed up an exceptionally sneaky strain of Mac malware that uses back-to-front trickery to disguise its true nature.

Janicab, which is written in Python, takes advantage of the right-to-left (RTL) U+220E Unicode character to mask the malicious file’s real extension. The U+220E marker applies a right-to-left override for the display of part (but only part) of the malware’s filename.

So a file which appears to be called RecentNews.ppa.pdf is actually RecentNews.fdp.app. The is designed to trick users into thinking they are opening a .PDF file which is in reality an an executable .APP.

This sort of back-to-front trickery has been seen in Windows malware in the past – such as Bredolab and the high-profile Mahdi trojan from last year – but it’s reckoned to be a new and unwelcome arrival on Macs.

In order to maintain the subterfuge, the malware displays a decoy document while silently executing in the background, installing malicious code on compromised Macs.

Because of the right-to-left override character, the usual file quarantine notification from OS X will also display with the words written backwards.

From Graham Cluley’s Security News

Adding an extra layer of sneakiness, the malware has been signed with an Apple Developer ID.

The nasty is designed to record audio and capture screenshots from infected computers, using the third-party command line utility SoX.

This information is then uploaded to a command-and-control server whose location is defined by pages on seemingly innocuous pages on YouTube.

A full write-up on the attack, together with screenshots, can be found in a blog post by F-Secure, the Finnish anti-virus firm that was the first to issue a warning about the threat.

A good explanation of the right-to-left trickery that’s the main feature of the malware can be found in a blog post by independent anti-virus expert Graham Cluley here.

And a hat tip for David Hartley of Eset who described to back-to-front mendaciousness as “Malice through the looking glass”.

None of the antivirus experts have stuck their necks out on this point, but the amount of care taken to put together the malware smack of some sort of cyber-espionage campaign rather than common or garden cybercrime.

The decoy document dropped by Janicab is in Russian and that may well have something to do with the target audience. ®

Cloud storage: Lower cost and increase uptime

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/16/backtofront_mac_malware/

Magic Quadrant for Enterprise Backup/Recovery

The Electronic Frontier Foundation has commended Yahoo! for parrying the federal government’s attempts to secretly slurp user data.

Yahoo! was awarded a sparkling-star GIF and a commendation by the Electronic Frontier Foundation on Monday for its thankless fight to preserve its users’ privacy against secret requests from secret courts in the democracy surveillance state known as America.

“Yahoo went to bat for its users – not because it had to, and not because of a possible PR benefit – but because it was the right move for its users and the company,” Mark Rumold of the EFF wrote. “It’s precisely this type of fight – a secret fight for user privacy – that should serve as the gold standard for companies, and such a fight must be commended.”

Although Yahoo’s fight was unsuccessful, and a ruling against it by the US Foreign Intelligence Surveillance Court of Review in 2008 caused it to hand over data, the EFF commended the Purple Palace for taking a stand.

Yahoo! is the only company in the EFF’s “Who Has Your Back” report to have received a flashing gold star, as opposed to the static stars awarded to all other companies. However, the company “still has a way to go in the other Who Has Your Back categories,” the EFF observed, noting that it is the last major email provider to not use HTTPS by default.

Besides Yahoo!, the EFF also recognized Twitter, MySpace, Sonic.net, Google, Comcast, and Amazon for fighting for their user’s rights to privacy within the courts.

The commendation of Yahoo! for defending user privacy comes after reports surfaced that Marissa Mayer, has given each of Yahoo!’s 11,000 employees an athletic wrist band that can track movement, sleep patterns, and other data as part of a rumored revamp that will turn the Purple Palace into a futuristic panopticon. ®

Cloud storage: Lower cost and increase uptime

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/15/yahoo_eff_commendation/

Steps to Take Before Choosing a Business Continuity Partner

Security researchers have demonstrated a flaw in femtocells that allows them to be used for eavesdropping on cellphone, email, and internet traffic. The hack was demonstrated on Verizon hardware, and the telco giant has issued an update to patch the vulnerability, but up to 30 other network carriers use systems with software that can be hacked in the same way.

Femtocells are used to boost Wi-Fi and mobile signals within a household, but a common form of software that many devices use has a major security flaw that allows all traffic to be recorded and analyzed. Tom Ritter and Doug DePerry from iSEC Partners demonstrated the snooping hack to Reuters using a Verizon Wireless Network Extender ahead of a lecture at the Black Hat hacking conference to be held later this month.

The researchers bought the Verizon femtocell for $250, and used open source software to test out the bugging attack. They also managed to boost the range of the femtocell to enable a much wider radius of data-slurping beyond the advertised 40 meter radius.

As many as 30 carriers could have hardware at risk, iSEC said, and the attack was simplicity itself – attack code can be pushed to vulnerable devices with no further user interaction needed. Since the firmware of femtocells is seldom updated, an attacker could eavesdrop for some time before being detected, and it’s not a hard hack.

“This is not about how the NSA would attack ordinary people. This is about how ordinary people would attack ordinary people,” said Ritter.

A hacked device could be placed in locales such as a restaurant frequented by high-value targets, and used to monitor data traffic that comes through the femtocell. The information can be stored and relayed back to the attacker using the adapted device, and used for further infiltration later.

Verizon’s update fixes the problem (otherwise, as at past Black Hats, the lawyers would almost certainly have stopped the briefings), but users of their Wireless Network Extender have to be aware of and apply the patch to lock down their femtocells. More worrisome is that the software is used widely in a variety of hardware femtocell systems – all users of all such hardware are advised to seek out their latest firmware upgrade.

“The Verizon Wireless Network Extender remains a very secure and effective solution for our customers,” said Verizon spokesman David Samberg in a statement. True – but only if those customers upgrade their firmware. ®

SaaS data loss: The problem you didn’t know you had

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/15/femtocell_flaw_leaves_verizon_customers_wifi_and_mobile_wide_open/

Steps to Take Before Choosing a Business Continuity Partner

A nasty new phishing campaign that aims to harvest Twitter login credentials is doing the rounds.

The scam typically appears in the shape of direct messages to prospective marks from one of their contacts. Attackers are using messages such as “This person is threatening to expose something bad about you” with a link.

The link takes prospective victims (who may be concerned they are about to be slandered or worse) to a dodgy site (twitller.com), which poses as a login to Twitter. Victims are encouraged to hand over their login credentials which are then used to take over compromised accounts and send more intimidating messages.

“This is a nasty trick especially when the sender is someone you know and trust. If you receive a suspicious DM or email from a person you know and trust, just warn him/her – the account is most likely hijacked and controlled by the attackers,” security blogger Janne Ahlberg warns.

A quick Twitter search on a key phrase suggests that the scam might have flared up around Thursday and run into the weekend. No more than a handful of people reported seeing it, so we appear to be talking about a low level or unsuccessful scam.

Any typo-squatting site associated with the attack is likely to get squashed but this won’t stop the ruse re-appearing under a slightly different guise or featuring a different site. Let’s be careful out there.

The motives, much less the perpetrators of the Twitter phishing campaign, are unknown. Possible motivations might be the use of compromised accounts to send messages advertising dodgy diet sites (earning marketing affiliate revenue in the process), or the use of compromised Twitter account login credentials to break into other services (email, Facebook etc). This latter trick is only possible thanks to the widespread but hopelessly insecure practice of using the same password on multiple websites. ®

SaaS data loss: The problem you didn’t know you had

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/15/threatening_twitter_phish_campaign/