A recent phishing attempt is a reminder that the bad guys never stop trying to gain access to our PCs and accounts.
Take some time for a close look at your Windows machines, to ensure they’re as patched as they could and should be.
Tipped off by a suspect Facebook alert
It all started with a shocking e-mail. Like many (most?) PC users, I have a Facebook account and try to engage in some social-media interactions. When someone posts to your wall, it’s normal to get an e-mail alerting you to the new post. But I received an alert that was both shocking and extremely rude — certainly something that I would never have expected. Curious as to why someone had posted such an unwarranted remark on my Facebook wall, I put my mouse pointer on the usual “see comment” link and almost clicked. Some small doubt entered my mind, and I simply hovered over the link.
That saved me from a possible phishing attack. Hovering over the link popped up the full URL, and it was immediately obvious that the link wasn’t going to Facebook. The link looked suspicious, so I went to Wepawet, a site that checks for malicious scripts on other websites. Run by several universities to study ways to diagnose malicious code, it’s also a way for all of us to examine sites without clicking their links.
Using the Wepawet site, I determined that a malicious iframe HTML element (more info) was being used to call another malicious site. The Wepawet report indicated that the malicious website was trying to use the Windows Help and Support Center vulnerability we patched way back in 2010 with KB 2229593 in MS10-042.
Seeing such an old threat should make me feel comfortable that, as long as I stay reasonably up to date with patching, I’ll be okay. But instead I was reminded of a recent blog post that described how many Java script attacks use several vulnerabilities (including the Help Center vulnerability) to attack systems. (These are called Blacole [definition] attacks.)
A TechNet MS Security blog points out that the exploits look for Adobe Flash Player, Adobe Reader, Microsoft Data Access Components, the Oracle Java Runtime Environment, and other popular products and components to attack. The malicious website can change its attack strategy to go after one or more of these vulnerabilities.