Security Alerts

New Spam & Phishing Emails

With the start of the school year, SF State is seeing increased phishing activity with a large number of variants.  The CISCO Ironport anti-spam device continues to struggle to identify and block some messages so continued vigilance is required by users. 

These emails prompt the receiver to reply back with their sfsu email ids and their passwords.  A new variant is below. 

"Important notice, harmful virus was detected in your account which can be harmful to our subscriber unit, You are to enter your E-mail address and password here {____________, __________} to set in an anti virus in your user account to clear up this virus."


Any email that asks you for your password should be considered suspect. Do not reply to such spam emails. Additional information on avoiding phishing attempts is available at  the SF State Security Blog.

iPhone Attack and Spoofing via SMS

A number of media reports have emerged over the past several weeks regarding attacks directed at cell phones primarily using SMS.  The attacks are 2 pronged in nature:

• Text messages can be spoofed to mobile phones and appear to have been delivered by the user's carrier.  They are aimed at tricking users to installing malicious code onto their phones. Since users do not have control over the SMS they receive they should be cautious about any message they can't verify, especially one indicating it is from a carrier.  Users need to be wary of the SMS they receive and should confirm with the carrier regarding any SMS updates that prompt them for a download or redirect them to a link.  Messages from any other source that prompt you for a download should be avoided.
• A stream of SMS messages can also be sent embedded with special characters which create a buffer overflow and allow for remote access and overwrite of data.  According to researchers, 512 text messages are sent to the target phone.  This occurrs without any interaction with the user.  The user has no control over it and his/her only warning is one text message with a small square in it.  Shutting down the iPhone quickly (a few seconds) after receiving this message prevents the code from executing.  Security Focus has confirmed that Apple released a patch for this vulnerability on July 31st 2009.  iPhone users need to click the "Check for Update" button in iTunes to download and apply the nearly 300 MB patch.
   

New "Zero-Day" Vulnerabilities in Adobe Flash & Microsoft Visual Studio

Hackers have begun exploiting another new vulnerability in Adobe Flash which takes advantage of the fact that flash can be embedded in PDFs. The corrupt flash object is attached to a clean PDF and any user that opens this PDF through their browser or downloads the PDF and views it using a local reader gets infected with malware.  The infected flash objects can also be embedded in web pages.

This vulnerability affects Windows, Linux and Macintosh operating systems.  Adobe is currently in the process of developing a fix and have slated the update to be available by July 30th, 2009. You can click here for more details from Adobe regarding the progress of that fix. Using UAC in Windows Vista might also help in mitigation.  Symantec recommends certain best practices to be followed to mitigate the threat.  Softpedia recommends that, "Firefox users can employ the NoScript extension, which blocks flash movies by default, to protect themselves. However, the only advice to Internet Explorer users is to exercise extra caution when browsing untrusted websites and to keep antivirus definitions up-to-date."

According to most AV vendors, the corrupt files are detected as Trojan.Pidief.G.  Click here for the CERT advisory.  Adobe has released a security advisory and a patch for this vulnerability recommending users upgrade to the latest version.  To check the version of the Adobe Flash player used in your browser, click here.

Microsoft Vulnerability in IE and Visual Studio

On other news, Microsoft is to release emergency updates on 28th July 2009 for Internet Explorer and Visual Studio.  Microsoft has not yet provided details on the vulnerabilites. "While we can't go into specifics about the issue prior to release, we can say that the Visual Studio bulletin will address an issue that can affect certain types of applications," as stated by MSRC.

Malware Being Spread Via Electronic Cards

Cyber-thieves continue to use fake e-greeting cards to deliver their malicious software.  This activity began in earnest in early February around Valentine's Day and a number of derivatives are emerging which anti virus vendors are having difficulty detecting.  It is recommended you NOT open any attached e-card or zip file.  The messages should not be viewed but deleted.

Never open an attachment that supposedly contains a greeting card. E-cards are no longer sent this way.  The only way to be 100 percent safe is to retrieve the e-card from the publisher’s web site without clicking on that link.

Some of the newest scams also involve an e-mail offering a free development kit that supposedly lets you create your own Valentine e-cards. 

New Adobe Zero Day Overflow Vulnerability, 2.20.09

Adobe announced that a significant new vulnerability has been found in the .pdf viewer which will not be patched for several weeks.  Although we expect our anti-virus vendor to have a nearer-term patch, you may want to

• switch your default PDF handler to something else such as "Preview" on the MAC
• disable JavaScript in Reader and Acrobat
• do not open .pdfs from unknown or untrusted sources

Conficker Virus/Worm (aka "Downadup" / "Kido")

The Conficker Virus/worm has infected millions of machines. Protection from this worm requires a multi-prong defense:

• run a trusted antivirus software with the latest updates- if you don't have one already, a free version is available to staff, faculty & students via the Helpdesk.
• scan all file extensions and external drives (especially MP3 and USB drives) when configuring your anti-virus software.
• Install the MS08-067 patch from Microsoft (for Windows users only)

Additional information regarding the Conficker worm is described in this recent article from the New York Times. If you have difficulty updating your anti-virus software, it may be because your machine is already infected; contact the Help Desk (helpdesk@sfsu.edu). 

Phishing Activity

Phishers continue efforts to steal account IDs and passwords using forged e-mails, text messages and phone calls using forged caller ID numbers. It is not the practice of SF State to gather sensitive information via e-mail or text messages.  Verify a caller's identify (e.g., return the call to a main number published in formal directory) before providing any sensitive information.  

• View sample phishing emails.
• View checklist of strategies to protect yourself from phishing and social engineering.