Lavasoft News - February 2007

Editorial graphicMany of you have written to us curious about Lavasoft's new product, Ad-Aware 2007. We must first direct your attention to our fresh, new icon. Pretty nice, eh? You will see this on all Ad-Aware 2007 products and packaging.

Now to your questions. No, Ad-Aware 2007 is not yet available. We are currently in a VIP beta testing phase and will enter a public beta shortly. Our developers will then make any last-minute corrections required before we issue a commercial release.

All of you who purchased Ad-Aware SE recently, and those who still have a valid license, will be eligible to upgrade to Ad-Aware 2007 for FREE. And yes, we are compatible with Window's new operating system Vista. We are also aiming for Vista Certification, the highest level offered.

Stay tuned to the Lavasoft Company Blog and the Lavasoft Support Forums for the latest on Ad-Aware 2007.

News from Lavasoft

Mobile Malware Strikes
We thought malware invading our privacy and compromising our security on our PCs was as bad as it could get. Now, cyber criminals are branching out to target another lucrative area: mobile phones. Find out what you need to know about the latest threats.

arrow  Read more

Spyware Sneaks into Virtual Worlds
Online games that use real world currency are gaining in popularity around the globe. And the large sums of money involved naturally attract cyber criminals.

arrow  Read more

Staying Out of the Phisher-man's Net
Phishers did not waste any time coming up with a new online scheme to reel in potential victims. The next generation of phishing is known as a "man-in-the-middle" attack.

arrow  Read more

Age and the Internet - Misconceptions
Is age a factor when it comes to Internet use? Throw out your stereotypes about teens monopolizing the web, and find out how the Internet is making way for baby boomers.

arrow  Read more

Security Shorts
Lavasoft News has compiled of a list of "security shorts" - summaries of other online security stories making news around the world this past month.

arrow  Read more

"Spyware" Teacher Faces 40 Years in Prison (The Register)
This story seems to be one of the hottest online right now. A substitute teacher found guilty of displaying pornographic images on her classroom PC is facing a maximum of 40 years behind bars. Julie Amero of Connecticut claims it was spyware that forced the graphic images to pop-up on her machine. Is malware the culprit? You decide. Read The Register’s article and then tell us what you think at editor@lavasoft.com.

Spyware Newsbits

New Targets in Detection (January 2007)
Protect your privacy with a complete list of new targets for January 2007.

arrow  Read more

Lavasoft Blog
If you want to go behind the walls of Lavasoft, hear what we are up to, what we are thinking and what is happening in the industry, the Lavasoft Company Blog is the place to go for regular, up-to-date information.

arrow  Read more

Mobile Malware Strikes

Since the news first broke of companies creating mobile "snoopware" to allow consumers to monitor their partners' text messages and calls, there have been growing privacy concerns over spyware running on mobile phones. Now, the threat landscape is changing to include malware, SMS phishing, and viruses, as criminals set their sites on cellular.

Commercial applications like Vervata's FlexiSpy, which silently record mobile phone calls and SMS messages to transmit them to a remote server, are designed to be "fun tools" to keep track of what spouses or children are doing on their mobile phones.

But, the mobile phone snoopware also has the classic signs of computer spyware: it often installs without any indication of what it is, hides from the operating system, and passes information on to a third party.

Security company F-Secure calls the FlexiSpy software a Trojan. According to their research, phones with spying software typically utilize SMS forwarding, SMS and voice call log information, remote listening, covert conference calling and localization services.

"This basically means that if the victim has a full-featured spy application installed on their phone, they have no privacy whatsoever and that the one controlling the software has access to all of the information that the phone has," said Jarno Niemela, F-Secure's spokesman.

Concerns have been raised in the past that the application could be abused by malware that installs as part of a payload, or by a hacker sending it to open phones in the hope that curious people would try to install it.

As our phones take on more of the capabilities of our computers, attacks targeting mobile devices are on the rise, security analysts say.

This past December brought the news that spyware applications targeting the Symbian operating system for mobile phones had been found. According to researchers at McAfee, the spyware application is bundled together with a variant of the Multidropper mobile phone Trojan, tracking text messages and copying log files with the phone number of incoming and outgoing phone calls.

This type of malware not only indicates that mobile phones will be increasingly targeted, it also shows a change in direction for malware authors. "Rather than destroying data and information, it is stealing it for profit," Jimmy Shah, a mobile antivirus researcher at McAfee, said on a company blog.

Security vendors have also noted incidents of criminal phishing through SMS. Coined as "smishing" attacks, consumers are typically warned that they will be charged a certain amount of money per day if they do not cancel a fictitious website purchase. When victims attempt to cancel the order, they often hand over confidential information, or leave themselves open to malicious websites.

Smart phones, combined mobile and PDA (personal digital assistant) units like the popular BlackBerry, are sure to be regarded with more interest by hackers. Global shipments were said to have increased 66 percent to 81 million units in 2006, according to Gartner's predictions.

That may not bode well for Apple's iPhone, which is due out on the market in June as a combination camera phone, PDA, multimedia player, and wireless communication device. While some security analysts say that malware concerns are premature, especially since consumers will be limited to installing certain third party applications on the iPhone, reports of hackers salivating over it are already circulating around the web.

One of the hackers behind the "Month of Apple Bugs" project, aimed at disclosing new Apple vulnerabilities, reportedly wrote in an e-mail to IDG News Service, "If it's really going to run OS X, [the iPhone] will bring certain security implications, such as potential misuses of wireless connectivity facilities [and] deployment of malware in a larger scale."

This year may also bring the first large-scale cell phone virus strike, according to analysts. Malware developers could implement an attack if they create a way to embed a virus in VoIP programs that users download to their mobile phone operating systems to reroute pricey mobile phone calls to the Internet.

Spyware Sneaks into Virtual Worlds

Virtual worlds are not all fun and games anymore. These MMORPG's (Massive Multiplayer Online Role-Playing Games) are one of the latest targets of spyware authors.

Avert Labs estimates that 18 percent of known Trojan password-stealers, infamous for targeting financial institutions, attack these virtual worlds thanks to all the cash to be had.

In these games, players usually pay a monthly subscription fee and then insert real money in order to purchase items and interact with other fictional characters. The virtual resources purchased are typically weapons, armor and real estate.

Players can spend hundreds of hours racking up items that can be traded and a profit turned. Some are there solely to amass goods and cash and sell for real world dollars to players who do not have the time or effort to do it themselves.

The scammers are usually after the credit card and billing information for the account, or better yet, those virtual world loots. They later auction them on places like IRC or eBay for real money.

Online game accounts can be worth thousands of dollars. In October of 2005, the sale of a virtual asteroid based space resort for $100,000 US to one famed gamer in the MMORPG Entropia Universe set a world record for the most valuable virtual item.

"For a lot of the customers out there, there is more store value on their MMO characters than there is on the credit card with which they pay for the account," said Dave Weinstein, a Microsoft security development engineer at a video game development conference late last year. "The police are really good at understanding someone stole my credit card and ran up a lot of money. It's a lot harder to get them to buy into 'someone stole my magic sword'".

According to Kaspersky Lab, the first cyber crime targeting online games took place in 2003 when Trojans designed to steal user data were detected in the Asian game Legend of Mir. Since then World of Warcraft, Lineage and EVE Online have all become victims of similar attacks.

It is not only the player and his/her account that can be victimized. More and more employees are entering their virtual worlds on company computers which, security experts say, is putting businesses at risk.

"Let's say employee X sets up their own World of Warcraft server and lets people come in and play. That allows people on other machines to come into the business. It allows people outside the business to log on behind the firewall," said David Marcus with Avert Labs.

Some security suites are now adding features designed specifically for online games that block all communication between your PC and the wider web apart from the all-important game connection.

If you want to avoid being a victim in your MMORPG, never give your account details out to anyone - not even those in-game claiming to be GMs. And do not download packet editors, zeny generators, item duplicators, or botting programs.

Staying Out of the Phisher-man's Net

As we reported in November's issue of Lavasoft News, phishing scams, most often fraudulent e-mails that dupe users into giving up their personal information by masquerading as legitimate institutions, were one of 2006's major cyber security issues.

A new type of phishing attack, expected to be lucrative in 2007, is a slight variation, acting as a middle man between the victim and the genuine website.

Encryption company RSA discovered a "universal" man-in-the-middle phishing kit being hawked in online forums. The kit allows the attackers to create bogus URLs that communicate with both the end user and the legitimate website in real time.

Standard phishing attacks only collect specific requested data (usually login and card-related info), but this form actually intercepts any type of credentials submitted to the site after the victim has logged into his or her account.

The victim receives a normal looking phishing e-mail and when they click on the link they are directed to the fake site. The victim then interacts with genuine content from the legitimate website - which has been 'imported' by the attack into the phishing URL. This means the fraudster can make an immediate financial transaction.

PayPal, whose website is often spoofed by phishers hoping to steal user account information, is doing its best to keep its customers from taking the bait. It plans to offer a new two-factor authentication system for $5 US. The security key is a small electronic device that calculates a new numeric password every 30 seconds. Logging onto the online payment service will require users to enter their regular passwords as well as the number displayed on the key.

"If you fall for a phishing scam and give away your user name and password...if you used the Paypal Security Key, a third party couldn't get to your account because they wouldn't have this dynamic digit," said Sara Bettencourt with PayPal.

The key will be beta-tested over the next few months with a public release later this year.

Several financial institutions, which are also often the targets of phishers, are testing similar one-time password products, like VeriSign's tokens. A select number of banks in the U.S. are also testing new software called BioPassword that resides on the web servers of the banks, analyzing typing rhythms to allow or deny access.

These products, designed to add a second layer of authentication to online transactions, come as new federal guidelines in the United States are calling on banks to establish multi-layer authentication security protocols for customer log-ins.

"As institutions put additional online security measures in place, inevitably the fraudsters are looking at new ways of duping innocent victims and stealing their information and assets," said Marc Gaffan, director of marketing in the Consumer Solutions division at RSA.

"While these types of attacks (man-in-the-middle attacks) are still considered 'next generation,' we expect them to become more widespread over the course of the next 12 to 18 months."

As long as there are groups like Rock Phish around, the banks should definitely be implementing several layers of security. Experts estimate this group is one of the most prominent in operation today, costing financial institutions like Citibank and Deutsche Bank, more than $100 million US to date.

A real cause for concern is Rock Phish's ability to stay one step ahead of the game. According to Symantec's Zulfikar Ramzan, just as browsers have been building phishing filters into their products, the group is already hard at work creating URLs so its messages can fly under the "blacklist" radar of identified phishing addresses.

If the messages keep getting through and people keep clicking, the phishers' catch in 2007 will be big. Gartner estimates financial losses due to phishing totaled $2.8 billion US last year.

Age and the Internet - Misconceptions

It may have been the case until recently that anyone over the age of 50 thought "surfing the web" was a term reserved for those with a board and a beach.

Today, this crowd is as cyber-savvy as its kids and even grandkids.

Studies are showing that the number of seniors who surf the web is on the rise, with some calling them the fastest growing demographic. A recent Pew Internet report found that 34 percent of Americans age 65 and older go online, up from 29 percent a year earlier.

The steadily growing number of web-surfing baby boomers has already begun to have an effect on the web.

Jeffrey Taylor, founder of the online employment site Monster.com, believes that life begins at 50, and he wants to share that view through the web. This past July, he launched a social networking site, Eons.com, aimed at inspiring baby boomers throughout the world.

Eons.com has opened up a new door to audiences in the 50-plus age bracket. "We're excited about the reception we've gotten from marketers who have been looking for a way to reach this audience," said Eons.com SVP of Strategic Development Linda Natansohn.

"Eons is like a breath of fresh air; we are approaching [the audience] with optimism and spirit. We've really been embraced and it feels like these companies have been waiting for a long time for a company like Eons to engage and innovate with."

The media company is also adapting online searches to the desires of the cyber baby boom crowd. cRANKy.com, "the first age-relevant search engine," is a specialty search page designed to process requests from the perspective of computer users who are above 50 years old.

Launched in early January, cRANKy is trying to simplify things by limiting search results to four listings, as well as making those listings more relevant to its target audience.

"We've discovered that, universally, the Eons Generation doesn't like to wade through millions of search results. So, we created cRANKy.com to engage this energetic group of web explorers who embrace technology, including those who may not be as well-versed at Boolean searches and complex narrowing techniques as younger generations who grew up on the Web," Taylor said in a recent press release.

"This whole group hasn't grown up with the Web, and they didn't really need to use it in their jobs," Taylor said.

The 50-plus community is obviously trying to educate itself on PC security and privacy, as "computer virus" and "computer crime" both made cRANKy's top 10 web searches in 2006 (based on Eons user searches).

Since many in this group are new computer users with less online experience, understanding security is a key issue.

The Federal Trade Commission has developed a website to help seniors, baby boomers, and other Internet users protect themselves from the many cyber threats that are lurking online.

For more information, visit OnGuardOnline.gov.

Security Shorts

 

Adobe Releases Security Patches

Security experts call it one of the worst security problems they have ever seen. Adobe is now releasing the first security patches to fix the cross-site scripting vulnerability that opened up Acrobat Reader to hackers. The attacker could easily include JavaScript code in a browser session so when a user clicked on a malicious link to a PDF on the web, the attack code was activated. Adobe urges users to update to the latest version of Acrobat Reader.

arrow  Read more

Organized Crime Gangs Target Students

A new report by a top security company finds children as young as 14 are being targeted by some gangs to become "skilled hackers". These criminals are reportedly paying tech students while they study to ensure they have a pool of cyber-savvy workers they can call on. The younger teens are being seduced by the "hacker" label and are even being financially rewarded for carrying out low-level tasks.

arrow  Read more

Hitman Spam Scare Tactic

If sheer volume of spam e-mails is not enough to horrify, the latest spam tactic is. Spammers, posing as assassins, have been sending out threatening e-mails claiming that recipients are the target of a hitman, and if they fail to pay thousands of dollars, they will be killed. The scammers have been known to include personal information in the e-mails, making the threat seem all the more real. The FBI has reportedly received 115 complaints of "hitman spam" since the first signs of it in early December.

arrow  Read more

Botnet Operators Face Jail

Two Dutch botnet operators who allegedly ran a network of 1.5 million computers may spend up to three years behind bars, authorities say. The botnet operation, which was uncovered in 2005, turned out to be 15 times larger than police had expected. The suspects are accused of using one virus to recruit a network of zombie computers, and another to steal credit card and bank account information. The operation accrued an estimated €60,000 ($99,000 US) over a six month period.

arrow  Read more

Phisher Faces up to 101 Years

Jeffrey Goodin of California, USA could be sentenced up to 101 years behind bars after being convicted of sending out fraudulent e-mails and related crimes while running a sophisticated phishing scam. As part of the scam, Goodin allegedly tricked computer users into giving up their credit card information by sending supposed e-mails from AOL's billing department.

arrow  Read more

 

Extra! Extra!
Ad-Aware Breaks Records at Download.com.
Read all about it here.
Stats
More than 3/4 of Americans are net users, spending an average of 8.9 hours online a week. For the first time in 2006, the number of women logging on equaled the number of men.
Source: Survey from the Center for the Digital Future
Term(s) of the Month
A cookie is a piece of data that a website saves on a user’s hard drive and retrieves when the user revisits that site. It may use a unique identifier that links to login data, preferences, etc. A tracking cookie is any cookie used for tracking users’ surfing habits. They are typically used by advertisers wishing to analyze and manage advertising data. Read more in Lavasoft’s Spyware Glossary.
Tech Tips
Did you know that the Lavasoft Support Forums are the perfect place to go for up-to-date technical advice? Forums Administrator Janie Whitty, aka Calamity Jane, checks all new posts made. Lavasoft staff members regularly go in to read and post. We also have a team of international volunteers who help our users with their questions and concerns. If you do not already have an account sign up today at www.lavasoftsupport.com. There are currently more than 15,000 registered members!
Letters to the Editor
Thanks to all of you who wrote to us with your thoughts on spam and the future of e-mail. Spam definitely gets people talking. Read some of your letters here.
Text Size
If you think the text size on the back pages of Lavasoft News is too small, remember you can adjust the sizing in your browser when reading our newsletter online here.
Lavasoft AB
Lilla Bommen 1
411 04 Gothenburg
Sweden

www.lavasoft.com
editor@lavasoft.com
Page footer

Add editor@lavasoft.com to your address book to ensure we reach your inbox.

You have received this message because you have registered to get information about Lavasoft and its products. If you no longer wish to be part of this mailing list: Click here to unsubscribe.

For information on Lavasoft's Privacy Policy, please click here.

PLEASE DO NOT REPLY TO THIS MESSAGE. If you require Technical Support, please check the Lavasoft Support Center for information.

Visit Lavasoft's website here for more industry and company news. For research and security queries go to the Lavasoft Security Center, or if you want to learn about the software infecting 9 out of 10 PC's today visit the Spyware Education Center.

Lavasoft AB, Lilla Bommen 1, 411 04 Göteborg, Sweden
Copyright ©2006 Lavasoft AB. All rights reserved.