Cybersecurity

SPOTLIGHT ON SECURITY

Hacks, Hijacks and Hunts for Chinese Data Thieves

Still smarting from a recent attack on its systems, Facebook started its week with a discovery by researchers at Bitdefender that an infected add-on at the Chrome Web Store was planting malware on its members’ computers. The malware, among other things, was padding the Like counts on dummy Facebook pages.

Once the pages, which are often completely devoid of content, rack up enough Likes, their creators can sell them on the black market. Buyers will use them to sell knock-off products or spread messages with malicious links to Facebook members. A page with 100,000 Likes can sell for US$150-$200.

Brand Hijacks on Twitter

Burger King’s followers on Twitter may have wondered last week if a palace coup was underway. The fast food company’s account was hacked, and the hijackers replaced the account’s profile picture with one displaying food from archrival McDonalds. Text on the image declared The King had been sold to Mickey D’s because “the Whopper flopped.”

Other items posted to the account by the hijackers were less innocuous. They included messages with vulgarity, racial epithets and a photo of a person injecting drugs in a bathroom with the implication he worked for the fast food chain.

Emboldened by the publicity their Burger King stunt produced, the hijackers performed an encore the next day with Jeep’s Twitter account. The feed proclaimed that the division of Chrysler had been sold to GM’s Cadillac subsidiary.

Most of the rest of the content fed into Jeep’s Twitter feed was obnoxious material recycled from the Burger King hack.

Although annoying, the brand hijack actually provided benefits to Burger King. Its Twitter followers jumped from 77,000 before the hack to more than 111,000.

Things couldn’t have gone better for Burger King if it had planned the hack, so that’s what MTV and BET did. The two cable networks — both Viacom properties — hijacked each other’s Twitter accounts as a publicity stunt, which only managed to produce more outrage than followers.

The Twitter hijackings generated headlines but no significant damage to the companies involved, noted Rocco Pendola, director of social media for TheStreet.com.

“It’s not a big deal because we’re not dealing with customers’ private informaton,” he told TechNewsWorld. “At the end of the day, it’s only a minor inconvenience for them. And if they’re smart, they can turn it into an opportunity.”

Chinese Cyberbandits

Mandiant, a company known in security circles but less so to the public, moved into the mainstream media spotlight when it released a stinging report charging that the Chinese Army was backing a computer hacking group responsible for system break-ins at 141 companies worldwide.

The report comes on the heels of much-publicized breaches at U.S. media outlets, including The New York Times, by intruders alleged to originate in China.

Mandiant’s investigation revealed that the Chinese government is directing the People’s Liberation Army to commit systematic cyberespionage and data theft against organizations around the world.

China denied the claims in the Mandiant report.

Java’s Turn

Chinese hackers weren’t the only ones attracting the security community’s attention last week. A favorite hacker attraction, Java, was targeted once again, and Apple was part of the collateral damage.

The company revealed that some of its internal systems had been infected by drive-by malware planted at a developer’s website frequented by Apple employees. Facebook employees had recently been trapped by the same malware at the website.

Apple was able to isolate the infected computers. It said no data was taken from the company.

Shortly after Apple’s disclosure of the infections, it and Oracle pushed out fixes to address the vulnerabilities exploited in the drive-by attacks.

Oracle is going through what Microsoft and Adobe have experienced with their software, Jamz Yaneza, threat research manager atTrend Micro, told TechNewsWorld. Now it’s Java’s turn.

Oracle needs to do more work if Java is to remain viable, said Symantec security researcher Liam O’Murchu. “We’re going to see fewer and fewer people using Java,” he told TechNewsWorld, “or a better response from Oracle with a more focused approach on security and vulnerabilities.”

Breach Diary

  • Feb. 18. Twitter account of Burger King breached. Bogus announcement of sale of company to McDonalds posted.
  • Feb. 19. Security company Mandiant releases report identifying unit in Chinese army it claims is responsible for system breaches at 141 companies around the world since 2006 — all of them in industries identified as strategic by China.
  • Feb. 19. Twitter account of Jeep breached. Bogus announcement of sale of company to Cadillac posted.
  • Feb. 20.Javelin Strategy & Research reports that in 2012, identity fraud incidents increased by more than one million victims and fraudsters stole more than $21 billion, the highest amount since 2009.
  • Feb. 21. Zendesk, a provider of help desk services for more than 20,000 customers including Sears, Xerox and Groupon, disclosed that a hacker had gained access to some of those customers’ support information. It said only three customers were affected. Although Zendesk did not name the customers, Twitter, Pinterest and Tumblr all have reportedly informed some of their users that their information may have been compromised.
  • Feb. 21. NBC’s website hijacked and Citadel Trojan planted on the site. An undetermined number of visitors may have been infected by the malware designed to steal personal and financial information.

Upcoming Security Events

  • Feb. 24-25. BSides San Francisco. DNA Lounge, 375 Eleventh St., San Francisco. Free.
  • Feb. 25-Mar. 1. RSA Conference USA 2013: Security in Knowledge. Moscone Convention Center, San Francisco. Registration: To Jan. 25, $1,895. After Jan. 25, $2,295.
  • Feb. 26. Optimizing and Safeguarding Your Data Network. 11:30 p.m. ET. Webinar sponsored by Bank Info Security. Free.
  • Mar. 1-2. Battlefields, Boardrooms, and Backyards: The New Face of National Security Law. 210 Science Drive, rm. 3014, Duke Law School, Durham, N.C. Sponsored by the Center on Law, Ethics and National Security. Free.
  • Mar. 12-15. Black Hat Europe. Grand Hotel Krasnapolsky, Amsterdam, Netherlands. Registration: through Jan. 10, 1,095 euros ($1,447); through Feb. 28, 1,295 euros ($1,711); Mar. 1-15, 1,495 euros ($1,975).
  • March 28. Trends in Government Security – Risk Management, Compliance and Technology. 1 p.m. Webinar. Free.
  • Apr. 23-24. Black Hat Embedded Security Summit. McEnery Convention Center in San Jose, Calif. Registration: Before Feb. 9, $999; Feb. 9-Apr. 18, $1,099; Apr. 19-25, $1,199.
  • Apr. 23-25. Infosecurity Europe. Earls Court, London, UK. Registration: By Apr. 19, free; After Apr. 19, Pounds 20.
  • Jun. 11. Cyber Security Brainstorm. 8 a.m.-2:30 p.m.ET. Newseum, Washington, D.C. Registration for Non-government attendees: Before March 3, $395; Mar. 3-Jun. 10, $495; Onsite, $595.

John Mello is a freelance technology writer and former special correspondent for Government Security News.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Cybersecurity

Technewsworld Channels