Posted tagged ‘malware’

Worms Take Clickjacking to a New Level on Twitter

July 1, 2011

I’ve never been a big fan of Twitter. I could never get beyond that tiny character limit. I just ramble too much, so it doesn’t work for me.

That aside, I think it’s a cool service and I understand why so many people use it.

What disappoints me, though, is how many people seem to think that it is a completely safe community that allows them to follow links with impunity. As if the people on Twitter (which, if recent polls are correct, is everyone in the world but me and a handful of people in China) were all good natured and never thought about how they might use this increasingly popular service to screw a bunch of people over.

Yeah, I hate to bust your bubble, but popular places in the virtual world are just like popular places in the real world: they attract criminals.

A group of researchers say that they have created a worm virus for Twitter that kind of acts like a clickjacking attack on steroids… AND crack. If that sounds like an overstatement, then check this quote from Lance James, one of the researchers at Secure Science who said that

You can couple an attack with our code and it would just tear the crap out of Twitter

Just lovely. Kind of makes you wonder why these researchers spend their time making computer viruses that could tear the crap out of anything. It’s like those biologists who intentionally make viruses that don’t exist yet.

What’s the point?

The point is defense. If security experts can stay ahead of clickjackers, then they have a much better chance of stopping nefarious technologies as soon as they are released. Still, it’s kind of a frightening though.

Advertisements

Should We Expect More Protection From Clickjacking?

June 5, 2011

Clickjacking is a problem. There’s no getting around that. If you use the Internet, then you are a potential victim. It’s really that simple.

So, should we expect more protection from clickjacking? Should we expect individual websites to find new security measures that will prevent clickjackers from spreading their scams (I’m looking right at you Facebook and Twitter)?

To some extent, I think that we can expect these companies to assume some responsibility. After all, these companies have made billions of dollars from their clients. They should invest some of that money into research and development that helps them keep the clients safe.

At the same time, we can’t expect Facebook, Twitter, or any other big website to protect us from every threat on the Internet. Many of the clickjacks that people get through Facebook actually come from outside sources. Could Facebook do a better job of warning people when they are leaving the site? Absolutely. Could they do a better job of educating users so that they know more about the threats of clickjacking? I’d say so.

But they aren’t responsible for what happens to you on http://www.sometinysite.com.

That means you have to accept some responsibility on your own.

If you can’t prevent clickjacks from happening, then you can at least stop malware from infiltrating your computer as a result of clickjacked links. Get some good security software for your computer, and don’t be afraid to spend a few bucks on the highest level of protection. It’s the money that encourages software companies to design stronger products. If you only rely on freeware, then you are going to get burned at some point.

That’s just a fact of participating in a virtual world.

Clickjackers Target Smart Phones

April 20, 2011

In Japan, most people access the Internet through their smart phones instead of sitting down at a desk to use a computer. Over the past several years, other countries have seen similar trends that point toward the future: computers are getting smaller and more portable. Soon, smart phones (or similar devices) will be the most easy way to access the Internet.

Clickjackers know that this will change the way that they find their victims, and they’ve already made numerous attempts to alter their strategies to focus on mobile device users.

Over the past year, the number of clickjacking attacks have tripled. Now, many of those attacks focus on techniques that target mobile decide users. Unfortunately, not many people understand how serious this threat is, so they fail to take the necessary precautions that will protect them from malware.

The big problem with clickjacking attacks that target smart phones is that they can access information stored on the devices. We have become so reliant on our mobile phones that few of us remember many phone numbers. You might even store much more than just contact information on your phone. You could have credit card information, passwords, and other private info as well.

Clickjacking attacks could target that information, giving hackers access to the data that they need to steal your identity or make fraudulent purchases in your name. They could also steal your contacts to spread clickjacking attacks to everyone on your phone.

The possibilities are frighteningly endless.Unfortunately, its unclear of how people can protect themselves best when using smart phones. For now, stay vigilant and critical of everything that you see online. And make sure that you check all of your devices for hidden viruses that might steal your information.

Clickjacking becomes more widely known

November 30, 2010

Not only have dictionaries recently started vetting the word “clickjacking” to determine whether it is worthy of long term use, but the Oxford University Press recently included it in their 2010 Word of the Year shortlist. You can read the entire list at the OUP UK website.

This annual list of words always gets a lot of media attention. That means more people are likely to become familiar with the word “clickjacking” over the next few weeks. Hopefully they will also learn what the word means and  how to avoid becoming a victim.

Luckily, the OUP editors got the word’s definition spot on.

Knowing what a clickjack is, though, is not the same thing as knowing how to protect yourself from them. In fact, there isn’t always a great way to protect yourself from clickjacking, especially considering that Facebook and other social networking sites make it easy for hackers to spread these attacks throughout communities quickly. Some times you get hit by an attack before you even know it exists.

Internet security companies are working on solutions that will prevent clickjacking attacks, but it seems unlikely that Internet users will be completely safe any time in the near future. That’s because UI redressing, as clickjacking is known more formally, takes advantage of a flaw that is inherent in the way that the Internet works. Someone would have to radically redesign the Internet’s basic structure before they could prevent all clickjacking attacks. That seems a little unlikely.

In the meantime, you can use your head to keep an eye out for suspicious links. Also, install antivirus software to help ensure that clickjacks don’t install any malware on your computer.

Getting clean after a clickjack attack

October 25, 2010

If you’re searching for information about clickjack attacks, then there is a good chance that you’ve already been nailed by some sneaky hacker. While it is important for you to learn how to avoid clickjacking in the future, it is equally important for you to learn how to make sure the attack hasn’t caused any harm to your computer. In essence, you need to learn how to clean up after the attack.

The first thing you want to do is identify any malware that has been installed on your computer. A clickjacked page can install viruses, worms, keystroke loggers, and other types of malware without your knowing it. So what’s the smartest way to identify and eliminate malware? Use two antivirus programs to scour every section of your computer. Be sure that you choose reliable software by checking the ratings at cnet.com.

After you find two programs, perform a thorough sweep. Most antivirus software allows you to adjust their search parameters. Set them as wide as they will go to locate hidden malware.

If you have been clickjacked on Facebook, then you will need to remove any status updates that the link might have added to your profile. If the likejack has added any applications to your profile, you should delete them as well.You might also want to post an apology to your friends just to let them know that they shouldn’t follow the link.

Your computer should be safe to use, now. In the future, be sure to run your antivirus software at least once a day. Alternating the software throughout the week will help ensure that you catch every piece of malware that sneaks onto your computer.

Clickjacking represents serious problem for some employers

October 4, 2010

Most employers worry about virus, trojans, and other types of malware that infiltrate their systems via emails. A recent survey, however, shows that employers might want to have their IT managers shift the focus from email to internet security risks. According to Panda Security, cybercriminals have been devoting more of their resources to clickjacking techniques rather than email scams.

Clickjacking uses an invisible frame that sits on top of an image or link. When you look at a web page that has been clickjacked, you will only see common images, buttons, and links. By and large, they look just like other websites. Actually, that’s the point because the criminals want to convince you that it’s perfectly safe to click on the pages. Unfortunately, when users click on certain elements, they click on invisible links that hover above the elements that they can actually see. Clicking on the invisible links can unleash troublesome malware.

Currently, social networking sites are the easiest ways for criminals to spread clickjacking attacks. In fact, clickjacks on Facebook have become so common that they are now referred to as likejacks. The criminals who use Facebook frequently use the site’s like button to lure in victims.

Why is this such a problem for employers?

The Panda Security survey shows that 77 percent of employees polled admitted to using company computers to access social networking sites. Perhaps even more disturbing is that 33 percent of the companies included in the survey were infected by malware distributed through clickjacks.

The easiest solution is for employers to block Facebook, Myspace, and similar sites. Businesses that rely on these sites to communicate with their customers, however, might not have this option. Instead, they should focus on educating employees about the dangers of clickjacking and ways that they can protect their computers while logged on to social networking sites. In addition, using reliable antivirus software and scanning your computers for harmful files regularly can improve performance and stop malware from causing problems.

Let me clue you in

September 28, 2010

Let me clue you in on something.

There’s no guarantee that you’re going to avoid clickjacking attacked… unless you never ever click on a link. Just avoid the whole internet. That should keep you safe.

Even if you are using Firefox or some other security-enhanced Web browser in conjunction with NoScript, you could still fall victim to a clickjacking plot. You can only protect yourself to a certain extent. Even if you keep your wits about you, there’s a good chance that  you’re going to get clickjacked at some point. All it takes is one mistake, and hackers are very good at encouraging you to make mistakes long before you realize what you have done.

So, you’re at least somewhat screwed here.

That’s why it’s important to use third-party software to make sure that your computer doesn’t have any malware installed on it. In fact, if you really want to play it safe, then you’ll install two pieces of antivirus software and you’ll run them both daily.

Does that sound like a lot? I spend a large chunk of my day online because of work. That means I probably have a larger chance of running into clickjacks and malware than you, unless, of course, you’re a bigger dork than I am. At the same time, knowing a lot about computer security means that I should be able to protect myself from exposure. Even with my level of expertise, though, I frequently find that some piece of malware has slipped through my defenses. I certainly don’t find security risks every time I run my antivirus protection. But I find something fishy at least once a week.

If I’m vulnerable to these attacks, then just imagine your own risk.