Sponsored by..

Showing posts with label Firefox. Show all posts
Showing posts with label Firefox. Show all posts

Tuesday 22 November 2011

Fake Firefox: "Introducing the new and improved Firefox 8,optimized for Facebook."

Here's a fake Firefox upgrade message circulating by email:

From: Mozilla Firefox [mailto:firefox-update@plrja5f2.fireefox.com]
Sent: 22 November 2011 05:32
Subject: Introducing the new and improved Firefox 8,optimized for Facebook. 211.245.104.78

Facebook recommends the faster Firefox 8.
Can't see images? View on a mobile device

   
Facebook recommends that you upgrade to the
faster and smarter Firefox 8.
       
    Get It Now
   
Introducing the new and improved Firefox 8, optimized for Facebook

• Browse faster than the previous version of Firefox.
• Easily organize and arrange your tabs into groups.
• Get on-the-go access to your saved Firefox settings across multiple computers.
• Access the new Facebook features as profile viewers and much more!
Get your free upgrade now.
Already upgraded? Thank you.
   
All your favorite stuff, all in one place. Make Facebook your home.

Visit Firefox on Facebook  
Share:   

Mozilla, Firefox, and the Firefox logo are trademarks or registered trademarks of Mozilla..

Update Marketing Preferences   |   Privacy Policy   |    Web Beacons in Email

RefID: sr-12012817


All the links lead to 68.143.18.186.nw.nuvox.net/mozilla-firefox/plrja5f2 which in turn leads to a malicious executable with only 15/42 vendors detecting it at VirusTotal. The malware then attempts to call home to magesticgamers.com and 46.166.129.230.

The ThreatExpert report is here, the Comodo report is here.

Monday 20 September 2010

The incredibly dangerous world of browser prefetch

Perhaps I've been living under a rock, but this apparently has been a suicidally stupid feature built into Firefox for some time, but it seems to be seldom used.

It started with a short spam apparently advertising a fairly well known black hat forum for hackers and illicit trades. It's not the sort of place that would choose to advertise itself though (it is strictly by invitation only), so quite possibly this is a Joe Job by one set of black hatters against another.

Now I guess that many recipients will have done the same thing, and typed the name of the site into Google to find out about it.. under the assumption that they'll find something that doesn't involve visiting the spamvertised site itself. But if you're using Firefox (and this possibly applies to IE8 and IE9 too, then the following message pops up:


Secure Connection Failed

-----------.com:443 uses an invalid security certificate.

The certificate is not trusted because it is self signed.

(Error code: sec_error_untrusted_issuer)

It could be a problem with the server's configuration or it could be someone trying to impersonate the server.

If you have connected to this server successfully in the past the error may be temporary and you can try again later.
Right at this point I kicked myself because I thought I had accidentally clicked through. But no... the certificate error was showing on the Google search page and I hadn't clicked through at all.. so why was Google trying to load the page and showing the HTTPS error because of the invalid certificate?

The answer lies in prefetch - a combination of a tag on the site, Google and the default browser configuration meant that the browser tried to automatically load content from the bad site just by Googling for something.

Link prefetching (and how to turn it off) is explained in this FAQ or this HOWTO guide.. if you are using a Mozilla based browser then go and turn if off NOW by going into about:config and setting network.prefetch-next to false.

So why is it so dangerous? Have there been any cases of malware using link prefetching to spread? Not as I know.. although it might be theoretically possible. The danger is that you have just revealed your IP address without knowing it..

Let's look at a particular scenario where this can be used. Let's say the attacker is targetting a victim who is using an unidentifiable email address, and the attacker wants to find that victim's IP to tie them down to a location or organisation. In this scenario, the victim is not stupid.. they don't click on links in spam, they don't reply to untrusted messages, never send read receipts and they don't load external images in their mail client.. but the attacker uses social engineering to send an email with details that the victim might Google (for example a telephone number). The victim may then search for references on Google and even without clicking on anything, the prefetch may reveal their IP address.

Alternatively, prefetch could be used to download illegal content onto a target machine without the victim knowing about it, or there are probably several other ways in which it can be abused.

So it's hard to tell if the original spam was a Joe Job, or someone using prefetch to collect IP addresses for evil purposes. But I'll bloody well keep the prefetch switched off in future..

Tuesday 16 December 2008

"IE 7 users: stop looking at porn now!"


This zero day vulnerability in Internet Explorer has already been very widely publicised. There are no effective workarounds for the problem until Microsoft patch it.. apart from using a different browser.

The aptly named Zero Day blog has this sage piece of advice: "IE 7 users: stop looking at porn now!" Simply put, randomly surfing for smut, warez, illegal torrents or anything like that* is likely to infect your machine if you are running IE.

In fact, because there's no such thing as a safe site you should consider ditching IE altogether. If you're running Windows then probably one of the safest things you can do is get Firefox, add the NoScript extension and then ensure that your PC is fully up-to-date by using the Secunia Software Inspector. Even security firms such as CA and Trend Micro have had their sites compromised to serve up malware in the past, so you can never be to careful...

* or Myspace.. or Facebook..