A year in security: the 2010 edition

Hey look, it’s a “this is what happened this year” post. Don’t worry, I won’t be making any security predictions (because unless I'm Nostradamus I can’t tell you what’s going to happen next week, never mind in six months time) and there won’t be any flying car jokes either.

With that out of the way, let’s see some of the antics that took place and caught my eye in 2010…

January: Getting the year off to a flying start, the ukfi.gov.uk website was defaced by an Albanian hacking crew who rather enjoyed making your browser fly across the desktop while pumping out bad rap music from your speakers. .gov websites are always a prime target for individuals looking to make a statement about something, even if said statement is just usually “lol haxed”.



It’s quite a stylish defacement, I suppose.

February: The Register explored the weird and wonderful world of XBox hacking, something I’ve spent a fair amount of time poking with a stick (don’t worry, I have three lives and a continue left). We also had scareware scammers taking advantage of killer whale attacks and the trusted name of VirusTotal with various fake websites and dodgy forum posts galore. There was also a fake FBI fingerprint scanner which was designed to infect the curious. As I said at the time, question the legitimacy of any fingerprint scanner that accepts pictures of dancing bananas.

Elsewhere, the UK Conservative Party suffered a number of defacements encouraging people to vote for the Labour Party. World of Warcraft authenticators also came under attack, placing budding Leeroy Jenkins fans everywhere at risk.

At least he has chicken.

March: Continuing the whole “gamers in peril” theme, phony Playstation emulators popped up on a couple of websites that infected your computer with Trojans.


Click to Enlarge

Some infected users reported Fake AV popping up after install, which doesn’t surprise me too much. I also rang the bell and yelled “Unclean! Unclean!” in an SC Magazine interview dealing with celebrity deaths and Internet shenanigans.

We also had Toolbars doing their best impression of the Elvis 68 comeback special and reminding us they can still give us a run for their money with built in phish pages.


Click to Enlarge

Mock toolbars at your peril, or something. Phishers also compromised the website of The Big Issue, directing users to fake Paypal pages. There’s low, and then there’s “more low”.

April: Oh look, iPad spam on Twitter. We’d see sporadic outbreaks of “pimping stuff” on Twitter throughout the year, and the iPad was always going to be an attractive target for both scammers and victims alike. We also had Zango installers lurking on Download.com, a website belonging to a Matrix actor hacked (he was one of the shouty guys, in case you were wondering) and a big defacement on The Telegraph website which was caused by comments made on the popular TV show Top Gear. There was also a phishing education test which was, er, blocked for phishing. As good a way as any to wrap up April, methinks.

May: Everything went a little crazy in May when I uncovered a simple (yet effective) DIY Botnet creation kit for Twitter.



Told you it was simple. As with any Twitter based Botnet, the commands have to come from a public account which means it’s relatively easy to detect accounts sending commands to Bots. As a sidenote, I did find it rather humorous when a random pr firm working for a security company I’d never heard of sent me a press release proclaiming that “A DIY Twitter Botnet creation kit has been discovered”.

Thanks for the heads up! I guess…

We also saw that Facebook users will happily cut and paste Javascript code into their browsers (no really) if asked to do so by dodgy looking websites. The old “cut and paste” method remains a constant thorn in the side of Facebook, and I doubt it’ll be going away anytime soon. Scribd put in an appearance due to over 4,500 logins being posted to a document on the site.


Click to Enlarge

June: Doctor Who became a target not once but twice in the month of June, due to a combination of the series ending and the new Doctor Who game being launched. TV shows in general are great low hanging fruit for scammers, who throw together websites promising online episodes before dumping you on surveys, more surveys and…er…surveys.


Click to Enlarge



The game thing was interesting – people in the UK pay a licence fee to get some BBC related action, but with the game being a Worldwide release anyone outside of the UK had to pay a small fee to obtain the game. Of course, people weren’t too happy about this and before long cracked versions started popping up online. Some of them contained nasty surprises.

There was even a version of the game uploaded to a site that required users in the UK to pay £10 plus network rates to download what would have been free for those users anyway.

Whoops.

Videogamers became targets yet again, as Fake AV peddlers poisoned search results related to treasure maps in Red Dead Redemption.





Taking a peek into Facebook land, we had fake “your account has been deactivated” emails doing the rounds which took users to phish pages and denied them access to games about cows. Bit of an odd month, really.

July: Special Zynga gifts ahoy! Also: here comes a phish. Elsewhere, we had some Justin Bieber chaos with Youtube being affected by an XSS flaw leading to overlays, scrolling text, porn redirects and – of course – a bunch of stupid surveys.

Everyone hates surveys, right? They were particularly popular when Toy Story 3 launched, with scammers setting up – what else? – fake “watch the movie” websites that pop surveys asking for personal info galore.


Click to Enlarge

Selecting a kids movie then plastering it with popups asking for info that someone aged 18+ would normally be required to fill in seems all kinds of wrong, but there you go.

September: I love an oddball story, and this one was right up at the top of the oddball pile. A Greasemonkey script claiming to let users “bypass surveys” sounded fine and dandy, until you tried to download it. In order to grab it, you had to fill in a survey which is a vaguely spectacular way to go about things.



There were also websites claiming to offer a “Skype upgrade”, which of course would cost the user money to obtain. As someone in the comments notes, there are a lot of similar sites offering “updates” for Adobe products too. Steer clear of the lot of them. Games testers were promised all sorts of money, and shady websites popped up asking for lots of personal information for fake “tax rebates”. We also came across a haul of around 2,500+ logins dumped on a public facing website which appeared to be for Facebook.


Click to Enlarge

Back in videogame land, the launch of Halo Reach brought a collection of horrible scams along for the ride. Flaming helmet codes, fake programs and surveys were the order of the day.

October: things seemed to be a little quiet in October, although there was a fake Twitter login page promising “new features” and pictures of semi-naked ladies all over the place. It was actually a kit designed to convince end-users to run fake Java updates and install some malware on their PCs.


Click to Enlarge

Yeah, don’t go installing those things. We also had a truly awesome example of domain name confusion.

Oh, I also gave a bunch of talks (some planned, some along the lines of “Oi, get in here and join in”) at the truly excellent HacKid conference in Boston. Designed to teach kids about the joys of computers, technology and security stuff it was a rip-roaring success and I hope to see more of these next year.

Look! A flying drone thing!



November: The Bayrob Trojan rose from the grave to try and infect people with fake Kodak galleries. Bayrob is a clever EBay scam, which directs infected users to fake auctions in an attempt to take their money and run. Nasty stuff.


Click to Enlarge

We also had fake Trojan removal kits that – oh no! – installed Trojans, Facebook death videos and the excellent IRISSCON, which I was lucky enough to take part in.



No, I didn’t buy an Alan Wake coat. It just looks like one.

December: things tend to go a little quiet in December, because all the scammers are too busy having parties in castles and building gold plated yachts to spend time ripping us all off but a couple of interesting bits and pieces popped up regardless.

First off, some SEO poisoning courtesy of the findings at Mono Lake. There were also some of those Adobe scam sites, iTunes emails serving up exploits and a fake Amazon receipt generator designed to fool unwary sellers into sending out items to scammers.




Click to Enlarge

The gag here was in trying to convince a seller to take their “refunds” outside of the safety net that is the Amazon payment system, or just simply get them to send the scammer lots of free stuff. While I’d like to think people wouldn’t fall for this, there are plenty of horror stories in search engines related to sellers going outside the system and being burnt horribly.

Buyer beware! Uh, I mean seller.

Anyway, that just about wraps up this gigantic slab of War and Peace. Assuming anyone out there is still conscious I’d like to thank you for listening to me ramble on (and on) and for reading all of the blog posts / research put together by everybody on a daily basis.

Have a great (and safe) 2011, and I shall see you on the other side…

Christopher Boyd