Remember when the web was young, and email was just gaining popularity in the mainstream, and there was a slew of virus hoaxes like the Good Times Virus, or It Takes Guts to Say Jesus, or Elf Bowling?
Remember painstakingly explaining to people that no, your computer couldn’t get a virus just by reading an email, you had to click on an attachment? That images were safe to open? Remember when the worst people had to worry about from web pages was unwanted cookies? Getting a virus just from looking at a web page? Preposterous! And a virus that ran up your credit card? Ridiculous!
It’s sad to think that all those “ridiculous” things are now possible—in fact, they’re commonplace. Look back at that link up there. It’s Snopes’ page on computer virus warnings. Way back when, they were all bogus. These days, most of them are real.
So what’s next? Well, they keep talking about Internet-aware appliances, so a future virus probably could “recalibrate your refrigerator’s coolness setting so all your ice cream goes melty.”
Personally, MySpace bugs the heck out of me because it seems to have a culture that encourages embedding images from other sites. 18% of hits to hyperborea.org from other websites are from myspace. Admittedly that’s inflated by the fact that attempts to embed images from my Flash site redirect to the actual articles, so it’s probably more like 10%, but it’s still insane. Earlier this week I started blocking hits from MySpace to images posted on this blog, and I plan to do the same with the Flash images over the weekend. You like my photos? Great, link to my actual site! You like the scan I have of some movie logo? Great, copy it and upload it to your own site!
If you’ve been paying attention to computer security, you already know that spam, viruses, and organized crime have been in bed together for at least a year. The recently-discovered theft of 40 million credit card numbers [edit: originally linked to Yahoo News] illustrates this point clearly:
CardSystems was hit by a virus-like computer script that captured customer data for the purpose of fraud, [MasterCard spokeswoman] Gamsin said. She said she did not know how the script got into the system. The FBI was investigating. (emphasis added)
Given the current porous state of many networks and operating systems, and the general public’s attitude that catching a computer virus is as inevitable as catching a cold, I’d guess it got into the system the same way most spyware does. An email attachment squeaked by the filters. Someone installed a tool that claimed it would make their web access faster. Someone got a well-designed phish, followed the link, and got infected by a backdoor because their browser was behind on security patches. Someone brought a laptop home, plugged it into their insecure home network, and brought back a virus.
Sadly, I expect we’ll be seeing a lot more of this.
Update June 20: Netcraft is reporting that it was indeed lax computer security that did them in:
MasterCard International said it “worked with CardSystems to remediate the security vulnerabilities in the processor’s systems. These vulnerabilities allowed an unauthorized individual to infiltrate their network and access the cardholder data.” Officials at affected institutions were not specifying the vulnerability and exploit used to breach CardSystems’ security. (emphasis added)
Netcraft seems to think it was likely their website, which runs on Windows 2000 and IIS 5, and they go on to promote their own security consulting services. So it’s not entirely an unbiased look at the incident.
Over the last few days, one of the viruses going around (probably a Mytob variant) has been trying to send its “Your account is being suspended! Open this file now!” come-ons. It forges the return address as firstname.lastname@example.org, email@example.com, etc. We block any incoming mail using these addresses before it even gets to our virus scanner.
Now here’s the weird part. We’re also getting bounces sent to another domain we manage, let’s say another-example.com. Both sets are coming from someserver.another-example.com.br!
I think that the virus is finding itself on another-example.com.br and not recognizing the country-specific domain name, misreading it as just another-example.com. It then looks up the mail server, finds our domain, and targets both.
Received 9 messages to a set of related spamtraps. All identical, claiming to be an E-Gold payment with an attached zip file containing a scan of the check. Our server found that zip file suspicious and defanged it. The funny thing? While the From: lines all varied, they all claimed to be from Peter Gabriel.