Facebook warns over password reset scam
Facebook has taken the unusual step of warning users about a bogus password reset scam designed to trick victims into downloading a password-stealing Trojan. Prospective marks are falsely told in widely distributed spam emails that their password has been changed because of a supposed security incident. Targets are invited to …
Will be sent by email to users. The warning is in the attached zip file :)
Please download the linked program to open the attached file.
...but i can remember receiving an email from my bank once warning about a scam going around which requested you go to a fake mock up site and sign in. They specifically stated in the email "We will never send you an email with a link to our online banking portal." but guess what was at the bottom of the page? A link to the online portal....
if you're dumb enough to open the file you deserve to get pwned
I got one of these mails this morning, and of course I didn't open it. But the other day, my better half was expecting a real delivery and opened the delivery of a trojan from a spam mail purporting to be about a failed delivery. She's not dumb, it was just fortuitous timing for the spam to arrive.
Why the hell does Vista default to not showing file extensions? My non-techie lady can understand not to 'open' a .exe file, but when it appears that you're 'opening' a document, ordinary folk are fooled.
And why the hell do they say 'open' when they mean 'run'? If 'open' were used for docs and 'run' for executables, the world might be slightly safer.
Ordinary, non-techie people are not dumb and do not deserve to be pwned. Maybe you're just trolling.
a couple of months ago my previous boss (IT Dev manager!) got an email about an expected delivery and it shafted his work pc.
why did he open it?
- he was expecting a delivery that day (or the day after)
wonder if someone could have got into the UPS/DHL delivery schedule (though hopefully they'd have cuaght it by now!) or its just dumb spam...
...either ignorant or unintelligent means you deserve whatever happens to you? Walk into the wrong section of town and get mugged - you should have known better! Fall into the river and drown? You had it coming for not knowing how to swim better!
You guys are a real bunch of charmers. Nice to know that I can rob your house and you'll admit straight up like men that you had it coming due to your insufficient home security, though!
Madmattttt, could you explain your reasoning in more detail, because it sounds to me like you haven't necessarily thought this one through all the way. "It's your own fault for letting it happen" does make you sound like someone that thinks exploitation of people like this is somehow justified. Where do you draw the line? And I do mean where do you, personally, draw the line at this... is it just at infected computer equipment, or by saying that "the sick, the weak and the dumb should not survive" do you also actually feel that physical exploitation is also justified? That the physically weak deserve to be bullied, mugged or killed by the strong? That medicine should be banned, so that pneumonia and influenza can weed out those with ailing immune systems?
I don't think that's what you intended to say at all, you simply think that you are immune from (malicious code) infection, so anyone who does get infected is obviously somehow inferior to you and therefore you have a right to ridicule them. Unfortunately for you, it is provable that no AV protection is 100% effective, especially on day zero. Even POSIX compliant operating systems aren't immune... that is where the term "rootkit" originally came from, after all, and you need to implicitly trust your repository not to have been compromised every time you run your updater, since all updates are run as root ;)
Mocking the afflicted has a horrible habit of backfiring at the most inopportune moments, I find it far simpler and safer to sympathise instead :)
Why does any email gateway even allow .exe files to be received anyway? There is no reason to send an exe - if you want to send an app just zip it.
Failing that, the OS knows what things can "run" (scripts, apps etc) - it really should present a severe warning. And since this is such a trivial thing to actually code into an email client why doesn't it exist?
If the weak just died that wouldn't be so bad, but they don't, their machines collect nasty things, get involved in DDOS attacks and spew spam/viruses to all.
Back, damned troll, back!
No, she THOUGHT that she was opening a file, but in actual fact her operating system executed a program attached to the email -- while going out of its way to trick her into thinking it was opening a file. The folks in Redmond that made those decisions about the way Windows should work may not have directly loaded that trojan into her machine, but they sweet-talked her and then led her into a dark alley where someone else could mug her. And they're every bit as accountable for the resulting trouble as the muggers themselves.
Thunderbird doesn't allow execution of binaries. All it does is issue a warning and offer to save. Even if you try and 'Open' from the e-mail attachment.
That's on Linux mind - wouldn't know about Windows
"And why the hell do they say 'open' when they mean 'run'? If 'open' were used for docs and 'run' for executables, the world might be slightly safer."
Depends which operating system you use...
Any company that can't tell the difference between "Run" and "Open" probably has their security so tight that the users don't need to worry. Oh, wait... no, it's the other way around, isn't it?!?
"Why the hell does Vista default to not showing file extensions?"
See above.
There are certain operating systems that will warn you about exes that have been downloaded or sent by email and throw up a warning asking if you're sure you really want to run code from the internet.
Obviously, windows isn't one of those operating systems.
Not everyone is a 'uber leet haxor' like you Matthew. Anyone who has teen children or older parents on the internet needs to be aware of the latest scams doing the rounds. As you know some can be very convincing to those who aren't as tech savvy as we are.
some of the more heavily spammed addresses I look after at work have been getting these for at least a month. Sometimes several a day. You'd think they'd give up at some point but no, they're just going to do the same thing that doesn't work over and over again. Stupid ass scammers.
As soon as I got it, I immediately warned everyone via my status to delete those files. I just wonder how many heeded my warning. Only one said they got that same email and deleted it.
With an attitude like that towards women at least we don't need to worry about you reproducing ;)
I got one of those emails and don't even have a facebook account. Here's the email of the originator stoningqp8@siemon.com. Maybe some can track the bum down.
Exactly the same thing happened to me. Don't have a FB account and so forth. The originator in my case was another Geocities user. Yahoo shut that down months ago, but they still route the incoming mail.
Obviously, the originator was spoofed.
I'm going to start a Horoscope service which serves up a static page advising people to drink heavily, both before and after something bad happens on the Internet. If people follow my advise, they soon will be to drunk to follow my advise. Then I can tell them how smart I am for being sober, if I can keep them awake long enough. Until at last I grow tired and sleep myself and I sure hope I wake before they do because they are not going to remember the smart, sober guy fondly.
Shows the value of having different accounts, rather than sharing one.
With different accounts and decent systems architecture, a compromise of one account does not compromise another.
Make the make the box in the emai program clearly state 'Open file' if it it will launch an existing program on your computer that will then read the file, or 'Run this application' ( with a big yellow warning sign in front of it) if the attachment is actually executable code.
That would give a visual que as to the nature of the attachment.
An admin setting could then be in effect that would deny access to files that fall in the latter category.
@Old Tom: Those are all good suggestions for Microsoft to implement into their OS, but you ask why those UI choices were made...?
The reason the choices were made by Microsoft is because:
THEY DON'T CARE ABOUT THEIR USERS.
They've been proving that they don't care, every month they make $900 million profit...which is every month.
Meanwhile there's a much better alternative for your non-tech Significant Other...it's called, Mac OS X. Get a Mac and you won't have to worry about these Windows-only virii, trojans, malware, etc... (Until it gets up to ~50% market share, which it will never do...unless Microsoft continues to REALLY soil itself.)
The answer is NOT get a Mac. They get compromises too! You really think Apple gives a wotsit about its users? Wow!
You're correct that it's fewer because of the windows marketshare, but issues are *still* present.
Within the last 2 weeks safari was updated yet again to address the old unverified remote user executing arbitrary code thing. The update report presented on screen to users didn't contain all the detail (funny that), but the one submitted by Apple to US-Cert did:
"
Apple has released Safari 4.0.5 to address multiple vulnerabilities in
ColorSync, ImageIO, PubSub, Safari, and WebKit. These vulnerabilities
may allow a remote attacker to execute arbitrary code, cause a
denial-of-service condition, obtain sensitive information, or bypass
security restrictions.
"
Then there are the regular flaws in Flash, Java, iTunes and other extension software that are truly cross platform.
Macs, PCs, linux boxes, smartphones... all can be compromised in multiple ways, so don't be an idiot and think using a mac makes you invulnerable.
... to Windows malware.
Impervious to exploits? No. Vulnerable to exploits? Also pretty much NO. Getting a Mac does make you dramatically less likely to suffer an exploit purely because there is virtually no Mac-specific malware doing the rounds. There is also unlkely to be any while Windows continues to be such low hanging fruit. So DO get a Mac and DO stop worrying about the bullshit Windows users have to constantly fret about. However, DON'T leave your brain at the door and still beware the nasty people.
(For Mac above feel free to swap in Linux)
I thought Microsoft Outlook blocked executable attachments... since the introduction of Outlook 2002 or possibly earlier. Outlook 2007 even disables links in messages from unknown senders.
Of course, security features can always be left turned off - often on the laptops of tech-savvy IT staff ;)
.... I forgot to post the reason why i came to the forums in the first place!
I got one of these emails the other day and the sophistication on this has gone up a notch in my estimation I almost starting moving my mouse to the link in the email but pulled myself back just in time.
Dangerous stuff hence why its more important than ever to implement good but manageable security at home.
I can't really believe the media's assertion that 350 million people are at serious risk of falling for a broken, misspelt message splattered with virus warnings - that's addressed to someone else anyway.
It's a pity that Facebook make it difficult to report such email scams to them. I had a couple of emails but the filters on my mail server stripped the content including the virus, and sent the headers to me. I spent ages trawling through the Help section trying to find a form that could be used to send them the headers to no avail. Perhaps they would be happier for us to report such email scams to The Reg rather than to themselves directly? Any publicity is good publicity.
What in a more direct way the guy above was trying to say was that even if your gf is slightly more "techie" than the average lipstick lass you should still ensure she only uses a non-admin account that won't allow executables to install anything.
Hence natural selection due to poor security fundamentals at home has ruled your lady and by proxy you out of the race, so to speak.
That's what he meant :)
No really .. I mean if you got an email saying what this says (and I've gotten a few of them in my spam folder) then you have to ask why don't people go to facebook and check first?
(alien - because thats what users are to us geeks)
Sign up, sign up for The Register's weekly IT security newsletter - click here
