If you receive a password reset email from Facebook on your inbox, be careful! Facebook users are being warned of a malicious email password reset scam that is making its rounds and quickly spreading across the social network the past couple of days. This massive spam run is the latest version of malicious emails targetting Facebook’s 400 million global users.

The email messages that are believed to be sent from the Cutwail and Rustock botnets, use a spoofed return email address like “help@facebook.com“, making it look real and appear that its really from Facebook. The message indicates that the user’s Facebook password has been reset and that the user should download the email attachment containing the new password. Unbeknownst to most users, that attachment is a Trojan horse program designed to infect a computer. This massive spam run also contains different varieties of malware programs, password stealers, rogue antivirus programs and botnet code.

Unlike most spam and phishing emails, this Facebook password reset scam’s English-language messages contain correct grammar but has a weird sign-off: “Thanks, Your Facebook.”

Here’s a screenshot provided by McAfee from one of those Facebook password reset scam emails.

Users should always keep in mind that companies or social networks like Facebook won’t send unsolicited passwords. The only time a user will get a new password is if that user requested for it. Aside from keeping your AV (antivirus) up-to-date, users should also make it a habit not to click on embedded links on emails and NEVER download attachments. If you have to download an attachment from someone you know, make sure you scan it first with your antivirus software before opening/running it.

Social networking sites will always be a favorite target of scammers, spammers, phishers and other types of cybercriminals because of the huge number of users and the large percentage of “ignorant” users. So its important that users should always be protected (up-to-date antivirus) and be educated about these types of email scams.

Next time you open your inbox and find an email that asks you to reset a password or change login details, be careful. It could “pretend” to come from Facebook, Twitter, Bank of America, PayPal or any other website – don’t click on the embedded links and NEVER download any attachments!

Anyone here or anyone you know recently received a Facebook password reset scam email?

Just found out from Weblog Tools Collection about a certain website with the name WordPresz.org that pretended to be WordPress.org and tried to release a backdoored (trojanised) version of WordPress to unsuspecting users who are still using older versions of the popular blogging platform. Blogger Craig Murphy was the first to report about this issue and below is a summary of his report taken from Sophos.com.

“Craig talks about how when he logged in to his admin account in WordPress he received a “High Risk Vulnerability Warning” from a spoofed WordPress domain. (The last ’s’ in WordPress.org has been replaced by a ‘z’.) The Warning suggests upgrading to the ‘new’ version 2.6.4 of WordPress. Downloading this ‘new’ version of WordPress I found that of the 638 files in version 2.6.4, 637 were identical to the same files in the official 2.6.3. The only difference was in the file pluggable.php. The hacked version of the file pluggable appears to be stealing the content of cookies on larger installations of WordPress. Sophos are now detecting this file as Troj/WPHack-A.”

WordPresz.org, setup by malicious persons was designed to steal valuable information stored in cookies from users who install the compromised version of WordPress and could also potentially be used to hijack these WordPress installations for malicious purposes. WordPresz.org is no longer online but the site looks exactly the same as the real thing. Below is a screenshot of the fake site.

If you can’t see the difference, below is a screenshot made by Craig pointing out the differences between the real and the fake WordPress site.

1 – the download size is too round and is incorrect, it should be about 1.4mb in this case.

2 – these are randomised over at WordPress.org, but are static at WordPresz.org.

3 – The real WordPress.org has a “Showcase” link included.

It’s really hard to know the difference between the two sites and any WordPress user could be lead to believe that they’re visiting the real one.

Here’s Peter Westwood’s (one of WordPress’s lead developers) response to this incident:

It looks like sites which have not upgraded to 2.6.3 are being exploited in an interesting way whereby a hacker, probably using an automated script, is hacking into sites with the vulnerability and changing the settings of one of the dashboard modules to point to a different feed thereby encouraging people to go to a different site which is offering a dodgy upgrade.

“We recommend that people upgrade as soon as possible when we release a security release so as to ensure they are not vulnerable to issues which will likely have exploits in the wild.

Also in the upcoming 2.7 release of WordPress we are including a built-in upgrade mechanism within WordPress which will allow people to upgrade automatically with ease. I would however stress the need with any piece of software to check that an upgrade is real by visiting the website of the software provider manually rather than relying on a link that you have been provided. Otherwise, as with bank phishing scams there is the potential for someone to trick you into doing something you didn’t want to do.

This is not the first time hackers and fraudsters tried to released compromised version of WordPress. Early last year, I published WordPress 2.1.1 – Dangerous Download, which is about how crackers were able to upload a backdoored version of WordPress 2.1.1 into one of the servers powering WordPress.org. Other instances include websites trying to distribute WordPress themes containing malicious codes.

These is another good reminder for all of us WordPress users to practice safe computing. For those of you who are still using an old version of WordPress, please take the time to upgrade to the newest version. Make sure you update your WordPress installation to the most recent version especially if the newer version contains a security fix. Also, make sure that you download your next WordPress install ONLY from WordPress.org and not from any other site. Users should also be careful what themes and plugins you download/install and where you get it from. As much as possible download only from WordPress Extend or from reputable plugin and theme authors.

To those of you who think that you’ve been victimized by WordPresz.org and believe that your WordPress installation has been compromised, download the newest version or WordPress from WordPress.org and do a reinstall/upgrade.

To know more about the details of this story you can visit the following links:

• Craig Murphy – WordPress 2.6.4 Fake?
• The Register – Fake site punts Trojanised WordPress
• ZDNet Blogs – Fake WordPress Site distributing backdoored release

Any of you guys were able to visit the actual fake WordPress site? Anyone had the same experience as Craig Murphy? What other security and safety measures can you suggest for other WordPress users to make sure they keep their blogs clean and safe? Please share your thoughts. Thanks for your time!

*images taken from The Social Programmer and ZDNet Blogs.

Be careful with what blogs you visit. Google’s Blogger.com is reportedly being hijacked by scammers to spread malware through fake blogs. Security experts are calling this the “fake blog scam”. Blog hopping or surfing hasn’t been this dangerous.

Scammers are creating what would seem as a normal-looking blogs with ordinary topics like “Star Wars, school, furniture, Christmas, cars and girlfriends” to host a variety of script-initiated malware. What’s scary is that it’s virtually impossible for visitors to spot the danger of these blogs and these malware infested blogs are said to be in the hundreds.

An example of these blogs is a one that is supposedly owned by a fan of the Honda CR450 motor car which attempts to infect it’s visitors with the Wonka Trojan. Other malicious tricks involve redirecting visitors to a phishing site.

“These are not legitimate blogs that were compromised. They appear to be deliberately set up to promote phishing, which is against our terms of service. We are investigating, and blogs found to include malicious code or promote phishing will be deleted,” Google said in a statement to CNET.

Previously, scammers have used social networking site MySpace for spreading adware, luring users into phishing sites and even YouTube by using fake porn videos. Now they’ve entered into the blogosphere, using the popularity of blogs in the hopes of having a huge payday.

Since it’s virtually impossible to detect if a blog is malware infested or not, we better take precautionary measures ourselves.

Here’s my advice:
» Avoid visiting blogs that you’re not familiar with.
» Close the window or tab if a blog redirects you to a different site.
» Close pop-up windows and NEVER click, however tempting it may be.
» Use a more secure browser like Mozilla Firefox or Flock.
» Keep your anti-virus programs up-to-date.

Hopefully no one else gets fooled or victimized by these fake blogs and Google should get rid of them A.S.A.P. Practice safe computing everyone! :)

Read the full story.

In some parts of the world, people are already celebrating Valentine’s Day. During this special day, married couples and sweethearts are not the only ones who are busy. Spammers and malicious programmers are also busy spreading spam emails, viruses and trojans.

Remember the famous “I Love You” virus? I’m sure you do, especially Filipinos. This is because the one who created this virus was a young Filipino student in one of the popular computer schools in the Philippines. Then there was also “W32.Yaha.K@mm” which was known as the Valentine’s Day virus. These and other types of virus spread during this time of the year.

Spammers try to lure you and me to open emails with subject lines offering free stuff like jewelry, chocolate, and lingerie. Security experts are advising people to be careful in opening Valentine-themed emails or e-cards (electronic greeting cards) or not to open any suspicious looking emails from someone you don’t know especially if it has a file attached to it.

Even with the use of security software like antivirus, antispam softwares and firewalls, spam, spyware, viruses and trojans still spread because of the lack of knowledge of users. Some people think that the presence of these security software is enough. Most of the time they forget or neglect to update it and that makes it useless. Also, what software salespeople won’t tell you is that these security software only filter 60% of viruses.

So for your safety and others too, let’s all be careful and spread love instead of spreading viruses on Valentine’s Day!

Btw, I just realized that the title could be misleading and could have a double meaning. Get it? Anyways, both mean well.

Happy Valentine’s Day everyone!

Don’t forget that Feb 14th is the first day for submitting nominations to the 2007 Philippine Blog Awards.