Computer Security Articles

In the absence of a genuine ticket to the real event, Facebook users are encouraging each other to reveal their Royal Wedding Guest name.

Here’s a typical message that is currently being spread by well-meaning users across the social network:

In honor of the big wedding on Friday, use your royal wedding guest name. Start with either Lord or Lady. Your first name is one of your grandparents’ names. Your surname is the name of your first pet, double-barreled with the name of the street you grew up on. Let’s do this! Post yours here. Then cut and paste it into your status.

Regally yours,
Lady Edith Spanky-Rushmoor

Do you see the problem?

By playing the game, you might be unwittingly making life easier for identity thieves and hackers.

Look at it this way. Think of all the websites which ask you to give it a “secret question” which can confirm your identity in the event of you forgetting your password.

If you tell everyone your Royal Wedding Guest name then you are giving away information which might help someone break into, say, your email account.

So, here’s my advice.

Firstly, don’t post this kind of personal information onto the internet – the few seconds worth of amusement you may get by telling people your Royal Wedding Guest name are not worth the potential pain of having your identity stolen.

Secondly, when websites ask you for a “secret answer” to reset your password… lie. You don’t need to tell the truth when you’re asked by a website what your mother’s maiden name was, or the name of your favourite TV show. So, say something random but memorable that no-one is likely to guess like “Xena Warrior Princess” or “Artichoke Sandwich”.

If you use Facebook and want to learn more about threats, you should join the Sophos Facebook page where we have a thriving community of over 70,000 people.

Of course, if you do happen to be one particular couple getting married tomorrow, you’re not going to have any chance keeping your grandparents’ names secret..

Hat-tip: Thanks to Naked Security reader Paul who brought this particular issue to our attention.

Instantly this news became? very fruitful? for all kinds of cybercriminals. Here is? some of the proof we found:

1) SEO optimized Google image searches leading to a malicious site with the exploit for the “Help Center URL Validation Vulnerability“. The exploit drops into the system a malicious executable file which is a password stealer malware.?

At the moment we found it, Kaspersky Anti-Virus detected the sample as Heur.Trojan.Win32 .? Meanwhile the Jotti multiscanner results were 1/20

The exploit also works with Opera and Firefox browsers by dropping into the system a malicious PDF file:

2) SEO optimized for all non-Russian Google searchers leading to Rogue AVs, in particular to “XP Anti-Virus 2011” which? actually? is quite? aggressive in blocking Internet access and extorting money for the activation

(Note: the third option anyway doesn’t allow browsing)

The infection scheme is quiet simple: a victim looks for pictures with the topic “Royal Wedding” and when the click comes with a Google reference a special malicious script redirects the victim to a malicious .cc domain with a classic Fake AV window.

3) Scams related to a fake Satellite TV where a victim should pay for the fake service. And of course, the credit card is being stolen once the payment is accepted.

4) Spam on Twitter just abusing TT and leading to misc. junk content sites

We highly recommend using the latest patched Browser with a plugin like NoScript, don’t click on any unknown link, and keep your AV updated and real-time protection working.

Real-world events occasionally generate a massive number of online searches. Japan’s recent earthquake and the subsequent tsunami that followed is a good example of a sudden event that turned the world’s attention to Google. And as topics trend in Google’s search results, Search Engine Optimization (SEO) attacks are attempted. Our March 11th post urged caution while searching for information.

The post also noted that Google has been doing a pretty good job of keeping SEO attacks at bay and filtered out of their search results. Web results that is.

Since October of last year, we’ve seen a steady growth in image based SEO attacks. Because Google is winning the (cat and mouse) battle against malicious site SEO, some attackers have shifted to image searches. Image based SEO attacks are more of a technical challenge. Instead of following trends and then connecting to a hosted attack site, the attacker must instead connect a trending topic to a particular image, and then link that image to a compromised site, which then links to the attacker’s site.

It’s a fascinating evolution that our Threat Insights team has been investigating.

But we’ll provide more details about that in a future post.

Today, we want to mention what’s likely to be a heavily searched for image tomorrow, Kate Middleton’s wedding dress.

People aren’t simply going to want to read about the wedding of Prince William and Kate Middleton, they’re going to want to see it. And so tomorrow, we expect Google’s image search to be more popular than ever.

We’re already seeing some “royal wedding coverage” SEO attacks.

Here’s an example which includes some well known footballers in the results:



The image is called “0611-soccer-studs1-credit.jpg” is linked to “lingerie-now-com”.

Google’s preview is loaded in the front, while the host site is loaded in the background.



What happens next is that the background site is linked to the attack site, which takes over the page and displays a warning message, an attempted scareware attack.



You can see the linkages here:



The site then renders an animated “Online Scan”:



All of the results are nonsense of course, this example is from a clean test machine:



Unfortunately, SEO driven scareware attacks are very successful, relatively speaking. Consumers have been scammed out of millions of dollars by this type of attack.

So be wary of this potential threat if you’re among those searching for wedding pictures.



Goggle’s Web search result for “royal wedding” places the couple’s official site at the top of the page.

And here’s another timely example of an image based SEO attack targeting those that searched for US President Barak Obama’s birth certificate, which was released by the White House yesterday, from GFI Labs’ Christopher Boyd.

Scam Signature Message: 

The Ultimate Profile Viewer is now being released! Shocking for real! See who visits your profile real time! See who invisible you on their friend list chat! Check it now and you will be shocked who viewed your profile now ! See your results here ->

Scam Type: Survey Scam - Profile Peeker – Rogue Application

Trending: April 2011

Why it’s a Scam:

Clicking the wall post link takes you to the  following page: 

Clicking “Continue” will take you to the following Facebook application installation screen:

Proceeding with installation is not a good idea. You will be giving a rogue application developer access to all of your Facebook profile information, and they will use your account to spam your friends.

If you do “Allow” the application to install, the following survey scam will be presented:

Keep in mind that profile spy and stalker apps are all bogus and violate Facebook’s TOS, and developers do not have access to the information required to complete such applications. For more information about them check out our in dept article:

Facebook Profile Spy, Stalker & Creeper Apps – Everything you need to know

How to Deal with the Scam:

If you did make the mistake of pasting the code into your browser, you are now spamming your friends with the scammersmessage. You should clean-up your newsfeed and profile to remove references to the scam. (click the “x” in the top right hand corner of the post). If your installed anti-virus program caught the malware attempt, then your system should not be affected. If you don’t have anti-virus software installed, then you need to that immediately and run a full system scan.

If you or your Facebook friends are falling for tricks like this, it’s time to get yourself informed of the latest threats. Be sure to join the Facecrooks page on Facebook to be kept informed of the latest security issues.

Recently,we found many malwares using a smarter way to inject the specified dll into system related to IME management. Comparing to the old IME injection tricks, it is much more difficult to be discovered by users or anti-virus companies.

As we known, at the beginning of last year, many Chinese users found they could not use certain language input method any more. This type of virus caused many inconveniences to the users. The first version of IME injection only substituted the IME file specified by the following registry:

HKLM\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\E0020804

Key:IME File

Value:*.ime

where E002 is a device identifier and 0804 is a language identifier in this case Simplify Chinese. If you want, you can get more information about this registry in MSDN.

If IME file is replaced by the malware dll, the original language input method can not work properly. This could by-pass many behaviour monitors, but this story didn’t last long, because this way could be easily discovered.

After that, the technology of the IME injection also updated, the next generation of IME injection was much more complicated, it needed three components. The first component was a management program, it dropped other two components:

1.Fake IME file, this fake IME file always export the following two functions:

IMESetPubString

IMEClearPubString

IMESetPubString – is used to load the malware dll specified by the management component.

2. Dll will be loaded, real payload of the malware.

The management component will register the fake IME file as the system default language input method, then it sends the WM_INPUTLANGCHANGEREQUEST message to the specified windows to activate the fake IME file to load the real malware. This type of injection will not replace any users’ normal IME file, and it’s a little bit more difficult to trace it, but it still has its weakness: users can easily find strange IME choice in the language bar and newly added Keyboard Layouts registry entries, and then fake IME file is left in the users’ system. This type of injection was popular during the second half of the last year, but now it nearly disappeared.

Now, we found the IME injection generation III. It’s smarter and difficult to be discovered. This injection does not change any registry or drop any fake IME file. Its mainly based on their study of functions: ImmLoadLayout and ImmGetImeInfoEx exported from imm32.dll.

ImmLoadLayout: This function opens the key: Keyboard Layouts, and gets the IME file name.

Before invoking this function, the malware has already hooked the function ZwQueryValueKey.

The Hook proc is like the following:

 

If the value query request is from registry key: IME File, it modifies the return value to the malware’s name: 04f30730.tmp, and then unhooks the function of ZwQueryValueKey.

After the above process, the malware posts a message to explorer.exe

Then explorer.exe calls ImmLoadIME, and this function calls Loadlibrary to load the dll returned by the ImmGetImeInfoEx. The following snapshot shows the call stack of the explorer.exe after it received the WM_INPUTLANGCHANGEREQUEST message:

Now the malware achieved its goal, the malicious dll was loaded by the explorer.exe.

Before the dll loading, Microsoft invokes ApphelpCheckIME to check the legality of dll, but it does not check whether this dll exports any IME functions.

Posting a language change message will cause the explorer to load arbitrary dll, even when this dll does not export any IME functions what is really dangerous!

Many functions of the imm32.dll are still un-documented, and this part becomes more and more attractive to malware writers. We don’t think this is an end, but be sure that we pay more attention to new IME injection methods.

 

Frank Zheng, Stanley Zhu & Hynek Blinka

Scam Signature Message: The BLOODIEST Fight EVER – BANNED FROM TV!

Scam Type: Survey Scam 

Trending: April 2011

Why it’s a Scam:

Clicking the wall post link takes you to the  following page: 

If you do follow their directions and click to “Watch the Video” you are taken to the follow page:

Here we see the end game of a typical Facebook Survey Scam. Each time someone completes a survey, the scam creator gets a commission. The scam creator will possibly have your personal information to do you harm. (depending on the information you submitted in the survey) If you downloaded any games or other files then your computer could be infecting with a virus, trojan or other malware. Never download files from scams like this!   

How to Deal with the Scam:

If you did make the mistake of pasting the code into your browser, you are now spamming your friends with the scammers message. You should clean-up your newsfeed and profile to remove references to the scam. (click the “x” in the top right hand corner of the post). It also appears that this scam creates a fake event on your wall. You need to delete this event as well.

If you made the mistake of submitting your cell phone number for any of the surveys, then you should contact your carrier immediately to keep any bogus charges from appearing.

If you or your Facebook friends are falling for tricks like this, it’s time to get yourself informed of the latest threats. Be sure to join the Facecrooks page on Facebook to be kept informed of the latest security issues.  Also check out:

Your Ultimate Guide to Facebook Scams and How to Deal with Them

How to spot a Facebook Survey Scam

The Royal Wedding of Prince William and Catherine Middleton that will be held tomorrow, on April 29, will attract the attention of many people around the world, and has become a trending topic on various websites, especially the social networking sites.

No doubt, it also became an easy target for the malware authors to spread their malware using SEO poisoning techniques. This Black Hat SEO technique has been used by malware writers from time to time, using hot topics to improve their site ranking on the search engine results.

As you can see on Google Trends and Google Insights, the search volume increases massively, and it also happens on Facebook and Twitter.

When you do a search related to this, some of the results point to malicious websites.

When a victim clicks such a link, he is redirected to a malicious site that forces a download of a fake antivirus:

• http://rnzrrljt.co.cc/[censored]
• http://xnslrqlr.co.cc/[censored]

These point to the IP: 78.26.179.10.

The malicious site shows fake scanning dialogs and also displays fake alert messages.

Once the downloaded file is executed, the rogue application starts its actions.

The used name of this rogue application can be different. In our tests, the name of this fake antivirus is “Win 7 Anti-Spyware” on Windows 7, but on XP it shows up as “XP Home Security 2011″.

Emsisoft Anti-Malware detects this malware as Trojan.Win32.FakeAV. Currently, based on Virus Total, the detection rates are still low, only 10 of 41 detect it.

Emails disguised as electronic cards have been used as bait over and over again for malicious intent. The fact that they are overused is a clear indicator that this lure indeed works.  Websense Security LabsT and the Websense ThreatSeekerR Network recently came across an e-card themed email.  Our customers are protected from this threat by ACE, our Advanced Classification Engine.

 

Let us first look at the sample email.  The URLs used in the emails are either compromised sites or were only created barely two weeks ago.

 

Screen shot 1 : Sample email that the Websense Email Threat Team got hold of recently



Clicking the URL withing the email directs you to a site containing obfuscated code similar to the one shown on Screen shot 2. This code then creates an iframe containing another URL  which you can see on Screen shot 3.

 

Screen shot 2 : Obfuscated code of the URL that came with the email

Screen shot 3 : Deobfuscated code of the URL from the email.

 

The contents of the URL specified in the iframe contains another obfuscated script.  This script, which uses a strikingly similar redirection code in our recent blog, in turn drops the exploit code and runs a rogue AV on the victim’s machine.

 

Screen shot 4 : Code snippet of the URL specified in the iframe used in redirection

 

Having the victim click on the link and then download an executable is usually the norm on these type of attacks. However, in this case, victims are exploited, and malware is downloaded and executed simply by clicking the URL link that came with the email.

 

Screen shot 5 : Snapshot of the malicious website used in the email

 

Websense Email Security and Websense Web Security protect against these kinds of blended attacks.

As we have seen with many major events in the past, news of the British Royal Wedding is currently being used by cyber criminals to bolster their spam campaigns and push rogue antivirus software through black hat search engine optimization (SEO) techniques.
 

Spam campaigns

We have blogged previously about “snowshoe” spammers targeting the upcoming British Royal Wedding of Prince William and Kate Middleton. Spam email messages advertising a replica of Princess Diana’s engagement ring that were observed in February are still making the rounds on the Internet, and the eve of the royal wedding is now upon us. Furthermore, as we had anticipated, we have recently observed additional spam campaigns making use of this significant event to promote various products.

In one such recent spam campaign, email promoting a “limited edition Buckingham Mint Royal Wedding Commemorative Coin” at a discounted rate is being observed:

 
The IP address involved in this particular spam attack is from a domain owned by an email marketing company based in the UK. The link in the body of the email at first briefly redirects to the domain lpmtrk.info-created on January 14, 2011-before redirecting to the final destination site. This domain was registered using a domain privacy service to obscure its identity so it could be used for spamming activities.

In another spam campaign, limited edition customizable mugs and t-shirts are being promoted at a discounted rate:
 

 

Sample “From” and “Subject” lines observed in these and related spam attacks are listed below:

From: Sovenir <souvenir@yahveh.permissionalert.com>
From: Sovenir souvenir@ardent.informationfoot.com
From: “Timeless Royal Ring” <royalring@yinstenarm.com>
From: “British Heirloom Ring” <royalring@yinstenarm.com>

Subject: Get a limited-edition royal wedding mug now
Subject: Get A Limited Edition Royal Wedding T-Shirt Now
Subject: Share in the most anticipated wedding of the century
Subject: A Beautiful Simulated Sapphire Ring

The domains that are linked to the above email addresses are spammer-owned domains created recently, most likely for spamming purposes. The two domains used in the email addresses above were registered on April 7, 2011, to the same registrant. The links in the above spam emails first redirect to the domain linked to the email address before redirecting to the actual spam website. Spammers have also included opt-out links (not included in the screenshots above), which are most likely bogus.

The IP addresses involved in the above spam messages are traced back to the United States. These IP addresses have been blacklisted due to their past involvement in spam campaigns. Rest assured, Symantec Brightmail filters are in place to block these and related spam email attacks.
 

Black hat SEO

With only one day left before the “big day,” searches related to the Royal wedding are gaining momentum on the Web. Black hat SEO techniques are being used in “fake” pages to lure people looking for news related to the royal wedding.

At one point, a search for “william and kate movie imdb” returned 61 malicious links in the first 100 search results. Fifty-eight of the first 100 results for the search term “princess diana death photos” and 45 of the first 100 results for the search term “royal wedding guest list kanye” also led to malicious sites.

Screenshots of the search results for the term “royal wedding gown sketches” are shown below, in which Norton Safe Web indicates 6 of the 8 links are malicious:

 
Some of these poisoned pages receive very high search engine rankings, and appear in the first page of search results. The following screenshot shows a malicious URL appearing as the first link in the results (right below the news links) for the term “Royal wedding time.”

The Norton Safe Web site reports at safeweb.norton.com provide a detailed threat report for sites rated red or yellow:

Here are some other search terms currently returning poisoned links:

.    william and kate movie cast
.    prince charles age
.    princess diana death facts
.    prince harry last name
.    william and kate movie on lifetime
.    royal wedding guest list bush
.    royal wedding guest list snubs
.    prince charles siblings
.    the royal wedding date and time

We have seen over 500 compromised sites being used in this campaign over the past few days. Attackers create multiple fake pages on each site and use unethical SEO techniques-such as keyword stuffing, cloaking, and link farming-to “game” the search engine algorithms to achieve high search engine rankings.

These poisoned links generally have the following pattern:

hxxp://<domain name>/<random 2 character string>-<search keyword>

Most of these poisoned links redirect (307 Temporary Redirect) to co.cc domains that host rogue antivirus software. We came across 11 different co.cc domains being used in this campaign so far.

The screenshot below shows the usual fake scanning/rogue antivirus activity that claims a whole bunch of serious errors and threats need to be cleaned from your computer:

When searching for information on the Internet, make sure your legitimate antivirus software is updated and be wary of scam pages asking you to download “antivirus” software.

Symantec’s multilayered protection technologies provide coverage for all of these attacks. The Norton Safe Web toolbar identifies and blocks poisoned search results.

 

Norton survey results

Our Norton team at Symantec recently conducted a Royal Wedding survey. The results of the survey were released on April 18, 2011, and they exhibit some interesting facts as listed below-as well as some that were quite shocking:

* 62% of Americans surveyed are likely to follow the British royal wedding.

* 87% of those surveyed responded that, as of March 25, they were already following the news about the upcoming wedding.

* Moreover, one-third of respondents will seek their royal wedding news online, making them more susceptible to online scams and other threats.

* One-quarter of respondents said they are interested in the royal wedding primarily because they love the notion of royalty with all its pomp and ceremony.

* Nearly 1 in 4 said their primary reason for following the wedding is because they want to see the lavish decorations, food, and clothing.

Royal Wedding 2.0 – The first “e-royal wedding”

* Nearly 40% of all respondents will seek their royal wedding information online.

* 67% of 18-34 year olds will seek their royal wedding information online.
            
* 87% of 18-24 year olds will seek their royal wedding information online.

* More than a quarter of respondents will be watching the wedding on a computer, laptop, or mobile device, either live or recorded.

* 53% of respondents will potentially share their thoughts about the royal wedding online (e.g., social networks, micro-blogs, and blogs).

People are unaware and unprotected from cybercriminal “wedding crashers”

* 18-34 year olds are more than twice as likely to not have security software (or not know if they do) on their laptop or computer than those 45 or older.

* 87% of 18-24 year olds seek their royal wedding information through online channels, and-shockingly-that same amount of 18-24 year olds don’t know what search engine optimization (SEO) poisoning is, or how it affects them.

—————————————

Note: This blog has been researched and written by Symantec’s Suyog Sainkar, Nithya Raman, and Helen Malani.

Two weeks ago, the Federal Bureau of Investigation (FBI) obtained a court order in Connecticut, USA. This court order allowed the FBI to undertake an anti-cybercrime operation of a sort which had never been authorised before in America.

Not only did the cops seize various US-based Command and Control (C&C) servers belonging the Coreflood botnet, but they also redirected all traffic intended for those servers to a surrogate server under their own control.

When infected PCs connected to the surrogate, the cops instructed the bot process to terminate, providing that the PC appeared to be in the US, and thus under their jurisdiction.

What made this court order a first in the US is that it gave law enforcement permission to interfere directly with computers belonging to users who weren’t being investigated, or charged with any crime.

The motivation for this novelty was that the Coreflood bot family is notorious for exfiltrating data from infected PCs. As the FBI’s Temporary Restraining Order puts it, Coreflood sets out:

to commit wire fraud and bank fraud in violation of Title 18, United States Code, Sections 1343 and 1344, and to engage in unauthorised interception of electronic communications in violation of Title 18, United States Code, Section 2511.

But the Electronic Frontier Foundation (EFF), a worldwide privacy advocacy group, expressed concerns about this sort of legally-endorsed interference. In particular, the EFF pointed out that there is something unappealing about sending commands of any sort to unknown malicious code on someone else’s computer without their explicit permission.

This may sound like a petty objection – and perhaps, in the real world, it is – but unless you know exactly which variant of the bot is on each PC, there is always a potential risk with trying to use a bot against itself. What if the crooks have deliberately rewired the “stop” command to carry out a “format hard drive” operation instead?

Nevertheless, the FBI went ahead, and the exercise seems to have been a success. So much so, in fact, that the cops went back to court over the weekend to ask for the two-week court order to be extended for a further month.

The new court application shows that the original two-week intervention had a measurable effect, documenting graphically the decrease in US-based PCs which tried to connect to the FBI’s surrogate C&C server:

The cops also compared the relative drop in Coreflood activity in the US and overseas. Sending “stop” commands to the infected PCs was noticeably more effective that simply cutting those PCs off from the C&C servers:

The big difference in the new court application is that the FBI is now asking to be allowed to uninstall Coreflood from infected PCs, not just to stop the bot process temporarily.

The FBI says it will only attempt this sort of automatic remote disinfection on “infected computers of identifiable victims who have provided written consent to do so.” This should keep the EFF happy, but it won’t be half as effective as blindly going ahead with automatic disinfection, without waiting for an exchange of written agreements.

Of course, even court-sanctioned auto-cleanup wouldn’t solve the real problem. Hundreds of thousands of users in the US (and many more than that overseas) have allowed themselves to get and to remain infected by malware which is comparatively easy to detect, remove and prevent.

As the FBI’s court application wryly notes in conclusion:

While the use of an “uninstall” command to remove Coreflood cannot be considered a replacement for the use of properly configured and updated anti-virus software, removing Coreflood from infected computers will at least serve to eliminate a known threat to that victim’s privacy and financial security.

These infected PCs actually pose a known threat not only to the victims, but also to the internet as a whole, and they advertise their infection by openly calling home to the C&C servers.

So, perhaps the FBI should have applied for permission to go at the problem in a much more gung-ho fashion, without the written permission clause?

What you you think?

Who would have thought it? A free anti-virus program for Apple Macs being named best anti-malware solution ahead of those security products for boring old Windows.

Well, that’s exactly what happened at the SC Magazine Awards Europe 2011, held last week at the London Hilton on Park Lane.

Over 530 of the industry’s top companies saw Sophos Anti-Virus for Mac Home Edition successfully beat rivals including products from McAfee, Kaspersky and Symantec to win the coveted title of Best Anti-Malware Solution, at the glittering awards dinner.

Naked Security’s own Carole Theriault was on hand to receive the award, flanked by Qualys CEO Philippe Courtot and dead-pan comedian Stewart Francis.

Carole was uncharacteristically lost for words when I asked her how she felt, but I think what has surprised all of us is just how open Mac users are becoming to the idea of security their computers with anti-malware software.

Although the number of malware threats targeting Mac OS X is much much less than Windows, that doesn’t mean that they are non-existent. And Sophos’s free anti-virus for Mac home users has opened many eyes to the fact that security doesn’t have to be an unpleasant experience.

Sophos Anti-Virus for Mac Home Edition’s success at the awards wasn’t the end of the night as far as Sophos was concerned. The company was also named Information Security Vendor of the Year.

A tremendous result in such a competitive marketplace. Our thanks go to SC Magazine’s judging panel for recognising the hard work done by everyone at Sophos in the last year, and for our users and readers for supporting us!

And if you’re still dithering about whether you should run an anti-virus on your Mac at home, then do read the reviews… and then download our free Mac anti-virus.

Sony has published a new blog entry, confirming that credit card details which could have been stolen in the recent hack of the PlayStation Network were encrypted.

Sony reassured users of the PlayStation Network that “all credit card information stored in our systems is encrypted”, but underlined that it cannot rule out the possibility that the credit card data was stolen.

The fact that encryption was being used on the credit card data is to be welcomed – as it reduces the chances of stolen information being used for fraud.

However, there still remains the question about just how strong the encryption is that Sony used on the credit card data.

Sony has once again missed an opportunity to reassure its customers. They should have said in the first announcement of the data loss that the credit card data was encrypted, and they should – in this latest communication – have provided details of the nature of the encryption that was used.

No-one outside of Sony knows how feasible it would be to decrypt the credit card information if it had been accessed by the hackers.

Maybe they’ll post more information tomorrow. If I were a user of the PlayStation Network I` wouldn’t be enjoying waiting for the answers..

Meanwhile, don’t forget that we do know that the personal information of the PlayStation Network’s customers was not encrypted – which means that hackers may have accessed your name, address, email address, birthday, password, and so on.

“The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack.”

Not sophisticated enough it seems.

Learn more on the PlayStation Network’s blog.

And don’t forget, you are strongly recommended to change your passwords elsewhere on the net, if you were using your PlayStation Network password on other sites.

Another Facebook spam mail pretending that your password is not safe, currently circulating on Internet.
The subject is: FaceFacebook Support. Personal data has been changed!ID55733.
The email comes with an attachment called New_Password_IN33494.zip.



The zip file (New_Password_IN33494.zip) contain New_Password.exe file, Quick Heal detects this file as a “Trojan.Menti.gen”.
New_Password.exe tries to fool the victim as it seems a Microsoft Word Document. You should never trust a file by its icon, always pay attention to the file extension. Also make sure that Windows Explorer is set to show file extensions option.



On execution New_Password.exe writes into the memory space of svchost.exe, deletes itself and downloads a file called document.doc from the domain profmiale. ru which is then saved to the desktop.This file conatins a username and password.



While the victim is looking at these new login credentials, another binary is get downloaded from profmiale. ru and saved to the %temp% folder as 1.tmp. Once 1.tmp is executed, the computer immediately reboots.

Files:
%userprofile%\Desktop\document.doc
%userprofile%\Local Settings\Temp\1.tmp


Thanks Mahesh Mane for the detail Analysis.