A tale of two "red alerts:" Which Windows warnings should you heed?
Literally every day at Betanews, we get at least one security vendor "alert" of some type, warning us to be on the lookout for the latest malware. The message is always the same: Advise users to stay vigilant, to keep patching, to upgrade their antivirus to the latest editions. But the profiles of the malware typically look the same, too -- stuff you might click on by accident, links pretending to be from your "best friend" in an e-mail message, ads for products that look too good to be true.
For many of us, the situation is getting to be like the US' terror alert level, which has remained at "Yellow" since the fall of 2007. We starting to forget what "elevated" vigilance means. And maybe that's a problem, because lack of attention to advice about real threats could become as dangerous as lack of attention to any one of those miracle weight-loss links.
This isn't an ad, it's my opinion: Over the years, I've trusted the engineers at Sophos Labs to present down-to-earth analyses of possible security scares. This morning, I forwarded two recent reports from other well-known security vendors to Sophos' Chester Wisniewski, reports about malware that didn't fit the ordinary profile we tend to see from day to day.
The first report comes from ALWIL Software, publishers of Avast anti-virus, and it's been heavily circulated since it was first issued last February. It speaks of the horrors of receiving unsolicited malware by way of JavaScript elements embedded in the ads that appear on Web sites -- the sources of which, sometimes, innocent publishers have no control over.
"The malware usually spreads through Web infection placed on innocent, badly secured Web sites," reads last month's initial warning from the Czech Republic-based Avast's Jiri Sejtko. "The ad infiltration method is growing in popularity alongside with the Web site infections. Now we are facing probably the biggest ad poisoning ever made -- all important ad services are affected. It means that users might get infected just by reading their favorite newspaper or by doing search on famous Web indexers. User interaction is not needed in this attack -- infection begins just after poisoned ad is loaded by the browser -- it is not a type of social engineering."
A chart from the ALWIL security research team showing what it claims to be the number of detected instances of malware sent by advertising platforms over a six-day period.
ALWIL's research found the Fox Audience Network as among the ad platforms spreading the alleged infection, which the firm dubbed "JS:Prontexi." On Tuesday, a public relations effort by the firm dubbed the malware a "widespread campaign," leading to blanket coverage such as this story in Media Post on Tuesday, this story in the Danish BizReport earlier today, and this blog post on Photoxels, which contains the original press release in its entirety.
That press release stated as many as one in two online ads served worldwide was in danger of being infected by the malware the ALWIL team discovered. "JS:Prontexi highlights the lack of care shown by advertising services providers to actively screen the content they are distributing," Sejtko is quoted as saying.
Can this problem truly be this bad -- a malware component with a 50% worldwide Web reach?
"Infections on ad services are certainly of heightened concern," Sophos' Chet Wisniewski told Betanews earlier today, "yet this is almost a month old, and the miscreants who caused this incident have since moved on. To claim it as the biggest ad server compromise ever seems to me to be a bit of hyperbole."
The moral of the story, according to the ALWIL press release: Pay attention to situations where you may think antivirus software like Avast is returning false positives...they may not be false. Again quoting Sejtko, "Consumers shouldn't immediately accuse their antivirus program of a false positive when a familiar site gets blocked. There can be a real danger."
The other "red alert" this week comes from McAfee Labs, as part of its new program of publishing "Consumer Threat Alerts." One of the first such alerts yesterday concerns a worldwide "Facebook password reset scam." Here, users worldwide are sent an ordinary e-mail -- no graphics, no text formatting, just an e-mail with an attachment: "Dear user of facebook [sic], Because of the measures taken to provide safety to our clients, your password has been changed. You can find your new password in attached document. Thanks, Your Facebook."
As McAfee's threat alert from yesterday reads, "This threat is potentially very dangerous considering that there are over 400 million Facebook users who could fall for this scam. This is also the sixth most prevalent piece of malware targeting consumers in the last 24 hours, as tracked by McAfee Labs."
Since this is also the type of phishing scam that we see here at Betanews every single day (sometimes every few hours), certainly this can't be the kind of malware delivery mechanism that people fall for, can it? Haven't people smelled this kind of scam long enough to spot it at a distance?
Surprise. As Wisniewski told us, this one deserves the red flag and the blaring klaxons.
"We are seeing very high volumes of this attack. Sophos detects the attachments as TROJ/Invo-Zip, which we talked about being involved in a similar MySpace attack this January. It then proceeds to infect you with Mal/FakeAV-BW (Fake Anti-virus). The same malware is also making the rounds as a fake delivery notification from DHL. The only thing unique is the extremely high volumes and the large user base that Facebook has that could be convinced to run the malware."
So to recap: A completely unsophisticated e-mail attachment, of the garden variety we've seen for the last 15 years, is seen by Sophos as being more dangerous and widespread than an embedded JavaScript that one security researcher says has the potential of appearing in half the world's online ads. The only way to ever find out the truth, is to ask the right questions of the right people.