MySpace Scams

A technology lawyer says that Facebook has paid a high price for making a basic Web 2.0 mistake that sites like MySpace, Flickr and YouTube avoid.

Investigators working for New York Attorney General Andrew Cuomo posed as young teenagers and set up profiles on Facebook. According to a statement from Cuomo’s office, “they received online sexual advances from adults within days and found widespread pornographic and obscene content.”

The investigators also accused Facebook of failing to respond, and at other times being slow to respond, to complaints lodged by investigators posing as parents of underage users, asking the site to take action against predators that had harassed their children.

Cuomo issued a subpoena to Facebook less than a month ago, demanding sight of certain documents. It was accompanied by a letter warning the company that “it could potentially face consumer fraud charges for failing to live up to its claims that youngsters on the website were safer from sexual predators than at most sites and that it promptly responds to concerns.” Facebook had also represented itself as a “trusted environment for people to interact safely,” according to Cuomo.

Facebook’s settlement of the complaint was announced at a press conference on Tuesday.

Under the terms of the settlement, Facebook agrees “to respond to and begin addressing complaints about nudity or pornography, harassment or unwelcome contact within 24 hours.” It must also report to the complainant the steps it has taken to address the complaint within 72 hours where the complaint has been emailed to abuse@facebook.com.

Hyperlinks must be placed “throughout Facebook’s website” for accepting complaints about nudity or pornography, harassment or unwelcome contact. An Independent Safety and Security Examiner will be appointed to report on Facebook’s compliance.

Facebook must also provide “a prominent and easily accessible hyperlink” to allow a Facebook user or their parent to give feedback direct to the Examiner.

“I applaud Facebook for addressing my office’s concerns about the site’s representation that they provided a safe environment and an expeditious complaint review process,” said Cuomo. “I believe our agreement will provide additional confidence to young people and parents alike and give Facebook a competitive advantage in the marketplace for setting a new standard for safety.”

The Attorney General’s statement also quoted Facebook’s founder and CEO. “Privacy and safety have been a priority since we first built Facebook,” said Mark Zuckerberg. “Our agreement with Attorney General Cuomo will set new industry standards to stop abuse online.”

“We applaud the Attorney General’s leadership and are committed to working together to keep Facebook safe,” added Zuckerberg.

Struan Robertson, a technology lawyer with Pinsent Masons and editor of OUT-LAW.COM, said that Facebook’s failure to take some of these steps of its own volition was a surprise.

“Any site that relies on user-generated content, whether it’s a small blog or a social networking giant, needs a prominent complaint mechanism. That doesn’t just help users, it also helps to channel complaints in a way that make them manageable. I’m amazed that Facebook didn’t have that already,” he said. “It’s even more important for a site that’s targeting children as well as adults.”

Facebook claims to have 47 million users. Its terms and conditions state that the site is “intended solely for users who are thirteen (13) years of age or older”. The company’s Chief Privacy Officer, Chris Kelly, told reporters this week that it believes 80% of users are over 18 but that it has no firm data.

“If Facebook had had obvious complaint systems like YouTube, Flickr and MySpace it might have avoided the Attorney General’s action. It’s now stuck with onerous demands to address complaints within 24 hours and to report on steps taken within 72 hours. Other sites will surely fear these time limits becoming the industry standard.”

In the UK, the general rule is that website operators must deal with complaints about unlawful third party material ‘expeditiously’. Robertson said that there is no case law that defines how fast that should be, though. “The only legislative reference we have to a specific time limit for the removal online material is in the Terrorism Act,” he said. Where police officers order a site to remove material that encourages acts of terrorism, the operator must comply within two days, according to that legislation.

With an increase in the number of phishing-related Web sites popping up on the Internet, protecting personal and financial information is becoming more of a challenge.

The scam occurs when an e-mail is sent by a hacker pretending to be from a business or bank and instructs the reader to click on a link that leads to a counterfeit Web site of the business. Upon clicking that link, the reader is asked to provide sensitive information, such as account or Social Security numbers.

The scam continues to evolve and improve. One of the more recent developments is the inadvertent downloading of information-stealing “crime-ware” onto your computer once the link in the phishing e-mail has been clicked, according to the Anti-Phishing Working Group, which includes hundreds of banks, online retailers, technology companies and government agencies and works to spread the word against phishing.

Other recent phishing attempts have involved the Internal Revenue Service. In some of those scams, an e-mail was sent during tax season and instructed the reader to click on a link to receive a refund. The link sent readers to a Web site that looked identical to the IRS site, where they were instructed to provide their Social Security number and credit and bank account numbers.

A computer worm in 2006 took over pages on the social networking Web site MySpace. The worm altered links to direct surfers to sites that were designed to steal login information.

According to computer security company McAfee, the top brand that is exploited by phishing scams is PayPal, at 45 percent, followed by eBay at 27 percent. The most common phishing subject line, according to McAfee, is “Question from eBay Member regarding Item.”

While the number of phishing Web sites has increased, there is a silver lining to this scam: The United States is actually now second in the world in the number of phishing scams reported, slightly behind China — by 1 percent. In addition, the number of days phishing Web sites are up and illicitly collecting information has decreased from nearly a week in October 2004 to 3.6 days by July 2007, according to the Anti-Phishing Working Group.

There is a Sandman impersonator roaming MySpace. Please do not sent this person money for bookings, because he is not associated with the former ECW champion. Sandman is being exclusively booked by Tod Gordon. If you are interested in booking him go to www.myspace.com/pwuczar.

Online ads infected with a Trojan virus have been delivered to users of numerous high profile sites participating in Yahoo-owned Right Media’s online ad exchange, according to Web security firm ScanSafe.

ScanSafe reported that during a period beginning August 8th and lasting until early September, it saw a surge in the number of a Trojan-Downloader.VBS.Agent it was blocking. The virus was being unknowingly distributed by over 70 Right Media ad servers, which Scansafe estimates delivered up to 12 million infected ads in recent weeks. Myspace, Bebo, Photobucket and The Sun were among the sites carrying virus-laden ads.

Although declining an interview, a Right Media spokesperson issued a statement saying, “We became aware of a Trojan [advertisement] introduced into the Right Media Exchange by a member network. The ad has been identified as a high risk creative and banned from the exchange”.

The Trojan itself required no interaction from the user to infect their machine, meaning that insufficiently patched operating systems were vulnerable simply by browsing to a page containing the ads. The adverts were being delivered to Right Media’s network from a third-party ad server, which was rotating both legitimate and infected ads. The infected placements delivered a Flash file generating an invisible ‘iFrame’, which prompted the download of a Trojan executable file.

In a recent press release, Dan Nadir, vice president for product strategy at Scansafe said “this is another example of how legitimate ‘trusted’ Web sites can unknowingly host malware. Online ads have become a primary target for malware authors because they offer a stealthy way to distribute malware to a wide audience”.

On its Web site, Right Media describes how each newly uploaded creative is run through a series of 10 tests in order to detect malicious activity. ScanSafe suggested the infected ads were designed to distinguish between scanning servers and regular site servers, and to deliver to the former ads with no malicious code to avoid detection.

Right Media’s spokesperson did not discuss future plans to prevent future incidents of this nature, but said the ad exchange is “committed to finding ways of keeping this type of activity away from consumers and publishers”.

The use of online advertising as a delivery mechanism for malware appears to be a rising menace. A report released earlier this summer by the Finjan Malicious Code Research Center found a rise in the use of affiliate ad networks to infect computers with keystroke loggers and other malicious code.

A million US victims lost “billions of dollars” to email phishing scams in the past two years, new research has warned.

According to Consumer Reports’s latest State of the Net survey, American consumers lost more than $7 billion over the last two years to viruses, spyware, and phishing scams.

Additionally, the survey shows that consumers face a one in four chance of succumbing to an online threat, a number that has slightly decreased since last year.

The number of consumers responding to email phishing scams has remained constant at eight per cent. The research projects that one million US consumers lost billions of dollars over the past two years to such scams.

The study went on to warn that many underage youngsters are at risk on social networks such as MySpace and Facebook. In households surveyed with minors online, 13 per cent of the children registered on MySpace were younger than 14, the minimum age the site officially allows, and three per cent were under 10. And those were just the ones the parents knew about.

Based on the survey, Consumer Reports projects that problems caused by viruses and spyware resulted in damages of at least $5 billion over the past two years.

The poll was conducted by the Consumer Reports National Research Center among a nationally representative sample of more than US 2,000 households with internet access.

Based on survey projections, computer virus infections prompted an estimated 1.8 million households to replace their computers in the past two years and 850,000 households to replace computers due to spyware infections in the past six months.

Additionally, 33 per cent of survey respondents did not use software to block or remove spyware. And the study projects that 3.7 million US households with broadband remain unprotected by a firewall.

Federal agents obtained a court order on June 12 to send spyware called CIPAV to a MySpace account suspected of being used by the bomb threat hoaxster. Once implanted, the software was designed to report back to the FBI with the Internet Protocol address of the suspect’s computer, other information found on the PC and, notably, an ongoing log of the user’s outbound connections.

Screen snapshot of ‘timberlinebombinfo’ MySpace account The suspect, former Timberline High School student Josh Glazebrook, was sentenced this week to 90 days in juvenile detention after pleading guilty to making bomb threats and other charges.

While there’s been plenty of speculation about how the FBI might deliver spyware electronically, this case appears to be the first to reveal how the technique is used in practice. The FBI did confirm in 2001 that it was working on a virus called Magic Lantern but hasn’t said much about it since. The two other cases in which federal investigators were known to have used spyware–the Scarfo and Forrester cases–involved agents actually sneaking into offices to implant key loggers.

An 18-page affidavit filed in federal court by FBI Agent Norm Sanders last month and obtained by CNET News.com claims details about the governmental spyware are confidential. The FBI calls its spyware a Computer and Internet Protocol Address Verifier, or CIPAV.

“The exact nature of these commands, processes, capabilities, and their configuration is classified as a law enforcement sensitive investigative technique, the disclosure of which would likely jeopardize other ongoing investigations and/or future use of the technique,” Sanders wrote. A reference to the operating system’s registry indicates that CIPAV can target, as you might expect given its market share, Microsoft Windows. Other data sent back to the FBI include the operating system type and serial number, the logged-in user name, and the Web URL that the computer was “previously connected to.”

News.com has posted Sanders’ affidavit and a summary of the CIPAV results that the FBI submitted to U.S. Magistrate Judge James Donohue.

There have been hints in the past that the FBI has employed this technique. In 2004, an article in the Minneapolis Star Tribune reported that the bureau had used an “Internet Protocol Address Verifier” that was sent to a suspect via e-mail.

But bloggers at the time dismissed it–in hindsight, perhaps erroneously–as the FBI merely using an embedded image in an HTML-formatted e-mail message, also known as a Web bug.

Finding out who’s behind a MySpace account
An interesting twist in the current case is that the county sheriff’s office learned about the MySpace profile–timberlinebombinfo–when the creator tried to persuade other students to link to it and at least one of their parents called the police. The sheriff’s office reported that 33 students received a request to post the link to “timberlinebombinfo” on their own MySpace pages.

In addition, the bomb hoaxster was sending a series of taunting messages from Google Gmail accounts (including dougbrigs@gmail.com) the week of June 4. A representative excerpt: “There are 4 bombs planted throughout Timberline High School. One in the math hall, library hall, and one portable. The bombs will go off in 5 minute intervals at 9:15 am.”

The FBI replied by obtaining account logs from Google and MySpace. Both pointed to the Internet Protocol address of 80.76.80.103, which turned out to be a compromised computer in Italy.

That’s when the FBI decided to roll out the heavy artillery: CIPAV. “I have concluded that using a CIPAV on the target MySpace ‘Timberlinebombinfo’ account may assist the FBI to determine the identities of the individual(s) using the activating computer,” Sanders’ affidavit says.

CIPAV was going to be installed “through an electronic messaging program from an account controlled by the FBI,” which probably means e-mail. (Either e-mail or instant messaging could be used to deliver an infected file with CIPAV hidden in it, but the wording of that portion of the affidavit makes e-mail more likely.)

After CIPAV is installed, the FBI said, it will immediately report back to the government the computer’s Internet Protocol address, Ethernet MAC address, “other variables, and certain registry-type information.” And then, for the next 60 days, it will record Internet Protocol addresses visited but not the contents of the communications.

Putting the legal issues aside for the moment, one key question remains a mystery: Assuming the FBI delivered the CIPAV spyware via e-mail, how did the the program bypass antispyware defenses and install itself as malicious software? (There’s no mention of antivirus defenses in the court documents, true, but the bomb-hoaxster also performed a denial of service attack against the school district computers — which, coupled with compromising the server in Italy, points to some modicum of technical knowledge.)

One possibility is that the FBI has persuaded security software makers to overlook CIPAV and not alert their users to its presence.

Another is that the FBI has found (or paid someone to uncover) unknown vulnerabilities in Windows or Windows-based security software that would permit CIPAV to be installed. From the FBI’s perspective, this would be the most desirable: for one thing, it would also obviate the need to strong-arm dozens of different security vendors, some with headquarters in other countries, into whitelisting CIPAV. Earlier this week, News.com surveyed 13 security vendors and all said it was their general policy to detect police spyware. Some, however, indicated they would obey a court order to ignore policeware, and neither McAfee nor Microsoft would say whether they had received such a court order. The verbatim results of our survey are here.

Written by: Declan McCullagh

Researchers are warning of a widespread MySpace drive-by exploit attack meant to compromise machines so more profitable phishing schemes remain successful.

MySpace users become infected when they visit a profile page containing malicious JavaScript and then are silently redirected to an Internet Explorer exploit, which was patched in April.

The exploit installs a common proxy network bot, known as a flux bot, which is used to hide phishing sites behind constantly changing proxy servers, Ullrich explained. The cybercriminals, in other words, use their newly compromised PCs to hide the tracks of unrelated phishing scams targeting banks and other financial institutions.

“It’s lends some secrecy to the scam and it makes it harder to shut down,” he said. “Now, the actual machine (the victim) is connected to get to the phishing site changes by the minute. You can’t easily block them. It’s not that obvious.”

The botnets are also being used to send spam, Ullrich said.

Potentially thousands of MySpace pages could be infected with the malicious worm, but the infected profiles are “being shut down really quickly,” he said.

A spokesperson for MySpace, which has more than 100 million members, could not be reached for comment.

Ullrich said cyberthieves traditionally tailor their worms for MySpace and other social networking sites because of the younger demographic that use them.

“It has a lot of non-technical users who do not patch their browsers,” he said. “People are not that careful. They may visit MySpace thinking [it’s] a big a company and not realising the content of the pages comes from the average user.”

MySpace has been the victim of a number of attacks over the past year. Vincent Weafer, head of Symantec’s Global Security Response, said MySpace users are often easily fooled into giving up their credentials.

“If I can get into your trusted group, I may be able to get information out of you,” he said.

Colin Whittaker of Google’s Anti-Phishing Team wrote on the company’s security blog recently that many users are tricked into giving their usernames and passwords so crooks can send spam from their account or – worse – use that same log-in information to access their bank accounts.

written by: Dan Kaplan

As technology becomes increasingly more complex, law enforcement has to evolve to keep up with the modern perpetrator.

Adam Lebowitz, an ex-Grady Hospital doctor infected with HIV, was arrested in Coweta last November after allegedly soliciting sex from a teenage boy he met on the Internet.

Lebowitz was charged with criminal attempt to commit aggravated child molestation, to sexually exploit a child, to commit statutory rape, to commit aggravated sodomy, as well as reckless conduct — for knowingly exposing a person to the AIDS virus, which is a felony — and obstruction of law enforcement, according to Assistant District Attorney Kevin McMurry in a previous interview with The Times-Herald.

Lebowitz has since been indicted and arraigned and is awaiting trial. He also faces similar charges out of Clayton and DeKalb counties.

Recently, the popular social networking Web site MySpace.com created a database as a means to identify and remove registered sex offenders from its online community. Officials with the online site have also agreed to share sex offender data — how many registered sex offenders are using the site and where they live — with attorneys general from eight states, according to The Associated Press.

MySpace general counsel Mike Angus announced that the site has already used the database to remove about 7,000 profiles out of a total of about 180 million, according to the AP.

Federal privacy laws require states to file subpoenas or other legal requests before MySpace can release the information.

Sgt. Mike McGuffey, an investigator at the Coweta County Sheriff’s Office who primarily handles the local sex offender list, is pleased that MySpace has started to share information with law enforcement.

“Predators should have absolutely zero access to places where children congregate, whether that be in public places or on the Internet,” said McGuffey.

McGuffey has been receiving increasingly more reports of incidents that occur online. He admits to using MySpace as “a resource” in solving crimes, although this new resource sometimes complicates the process.

While McGuffey feels the progress being made with MySpace has the potential of making the Web site a slightly safer place for young people to investigate, he points out that technology continues to evolve and predators will invent new ways of targeting the public. Safety against online predators starts in the home, according to the investigator.

“Ultimately, it ought to be up to the parents — it’s their responsibility to take care of their children,” said McGuffey. “Parents should be more involved in their children’s lives than in anything else. They need to set rules and enforce punishment when those rules are broken.”

Parents are advised to monitor their children’s online activities and not allow free reign. Sometimes, children will think that setting their profile to “private” will prevent their personal information from being compromised. But it won’t, reminds McGuffey.

“Even grownups should be careful on the Internet,” said McGuffey.

He especially cautions against dating Web sites, because predators often seek out common interests as a way into that person’s life. Adults are advised against posting pictures of their children online for potential offenders to see.

“A child predator will zero in on your children,” he continued.

Overall, America appears to be more aware of the dangers lurking on the Internet, according to McGuffey. Programs such as Dateline NBC’s “To Catch a Predator” have educated parents and children about how easy it is to fall victim to a predator and how bold these offenders can be. However, according to the investigator, the program is also educating the predator about the justice system and may, in some cases, help the person commit crimes more effectively.

“A true predator is going to do whatever it takes to get to his victim — wherever children congregate, he will be there.”

The following is a list of tips for navigating safely online:

* Just as in public, people should not talk to strangers.

* Parents should set computer filters and activate security features on all home computers whenever possible.

* Don’t allow children to have Internet access in their bedroom.

* Check the computer’s Internet history to see what sites have been visited.

* Finally, never underestimate what people are capable of.

Written by Elizabeth Richardson