Compare the fake application on the left with the real thing on the right, and note the differences:

Immediately, we can see that the real thing has a rounded curve at the top - the fake is blocky, and looks like a regular Windows application box. There's an "Inbox" link at the top when you start up the fake application - there isn't a link like that when firing up Google Talk for the first time. The Username / Password box is much lower down on the fake application, and (again) the real "Sign In" button is curved on the real application. Finally, you'll see "Forgot your account / Don't have an account" on the genuine Google Talk program - not so on the fake.

How does this work?

Well, the program doesn't connect to the Internet - for this attack to be successful, the hacker needs physical access to a PC that lots of people use. Could be a workplace PC, could be in a school, library, Net Cafe - anywhere where it's possible to run an executable file then retreat to a safe distance while the potential victim sits down and thinks "Just need to check something on IM..."

Assuming the victim enters their login details into the fake application, they will immediately see a fake error message, and probably think no more of it:

Once they've finished whatever they were doing and left the PC, the attacker only has to sit down and browse to the C Drive where they'll see this:

As you probably guessed, any all login details typed into the fake application will be stored in this text file:

We detect this application as Fake Googletalk.

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Additional Research: Chris Mannon, FSL Senior Threat Researcher

*cough*

Anyway, the fresh deluge of Viagra spam in my mailbox tells me the comments are now 100% up and running once more. I'm now going to sit in the corner and cross my fingers...

Well, read on to see an example of a DDoS tool riddled with memes just so it'll gain acceptance from the target audience (complete with built in radio and chat functionality, just to keep the "Partyvan" mentality going a little longer) after the jump. By the way, there's no getting around this - many Internet memes are (by their very nature) cruel, vile and offensive. This makes the nature of explaining some of these memes slightly tricky, and (as this is a safe for work blog) kind of makes it difficult to link to source material without making you go blind. As such, anything that might cause you boss to yell at you has been labeled not safe for work. And with that out of the way....

...uh. I had pegged this as a standard fake profile, but the addition of the personalised "Why, hello there" message wasn't something I'd seen before with one of these fake profile requests. A look at the profile, and...

.....strange - not the usual fake profile hurling adverts for ringtones, Adware and who-knows-what at me. It's a bit arty, a bit daring - certainly in your face, but for once, it's not adverts and scams in your face, and that's a refreshing change. Could it all go wrong with the "About Me" text though?

Apparently not. There's no mention of the latest Viagra pills or even a webcam. This is weird. It's almost too good to be true.

Almost.

Click anywhere on the page, and (courtesy of an invisible overlay)....

Doh! And we were doing so well for a while there...

Alternatively claiming to be a representative of Halifax Bank (or First Assist, an accident insurance company), they cold call their "target" and immediately start quizzing them for personal details, apparently without prompting.

There's three whole pages of puzzled individuals here, and another extremely interesting writeup about it here.

Note the selection of text files that accompany the program. We've seen a growing trend for hackers to leave copyright warnings on their programs, and messages of a similar nature elsewhere. Well, the all-out branding assault continues here:

....Belgium Power? Once they're done impressing you with the technical specs of the programs creation, they continue to hit you around the head with more information:

Once you fire up the Client, you can't help but be impressed by the clean, logical layout (very reminiscent of a spreadsheet, actually):

Even better, the desire for being properly credited for their work runs wild here:

According to that screenshot, they consider their Crew name to be a Trademark, and and program itself seems to be Copyrighted (All Rights Reserved). Creating the infection file is as simple as hitting the "Build It" button - when you see this, you're ready to start pushing your infection file to the masses.

Once the attacker has sent the infection file to the victim and convinced them to execute it on their PC, the attacker will be notified like so:

At that point, the attacker simply opens up the "spreadsheet" page and sees this:

The message says "Ready for action" - so very, very true. At this point, the attacker simply opens the "Passwords" tab, hits the "Get MSN Passwords" button and is presented with all the login details stored on the PC:

We detect this as PassHax.

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Additional Research: Chris Mannon, FSL Senior Threat Researcher

As the title states, no need to panic - it's highly unlikely this is anything other than somebody harvesting accounts the old fashioned way then promoting an endless deluge of pill websites. Yes, Phishing sucks - but for now, it doesn't look like Pinont.com is the Herald of the End of Days or anything equally dramatic..

Well, a few months on and it looks like the BBC had a coder create an application (in three hours or less) that could swipe a whole pile of data on both you and your friends, before mailing it back home to base. I can't stress enough - when it comes to social networking sites, NEVER post anything you wouldn't feel comfortable posting on an otherwise open and accessible site such as your blog, personal website, whatever. I have pages on Myspace, Facebook, Orkut and a whole bunch of others - and there is NOTHING on them that you couldn't find elsewhere. There is no hidden treasure trove of data to mine, and so I don't care what happens to it because it's all out there in the public domain anyway. This is what I've been telling people for the longest time, and it works.

A few days ago, I talked about the oddly intrusive chat attack I experienced, and how FaceTime products can control / lock down / fire into orbit Facebook applications where necessary. To date, there haven't been any applications out there that have gone in and done all sorts of horrible and malicious things to end-users on Facebook. Personally, I've been more concerned about applications that allow people to post a seemingly endless and imaginative array of body parts in various comical situations. Nobody really wants that all over their desktop in a regular workplace environment, right? However, this seems to me to be a warning shot of sorts - a warning that we not only need to consider locking down applications that cause annoyance and embarrassment, but also to keep an ear to the ground as we await the inevitable arrival of the "I BREAK STUFF" application.

Coming soon to a Web 2.0 site near you...

For those that are still with me.....

We write about an interesting "system error" (as Myspace called it) that allowed people to track other Myspace users that were visiting their page, after having notified Myspace about this issue.

April 16th, 2008: Who Is Watching the Detectives Part 2

This still hasn't been fixed, and (worse still) it looks like this has been in circulation since at least October 2007. Hurry up, Myspace...

April 30th, 2008: It looks like this has finally been fixed, and it's no longer possible to auto subscribe visitors to your video subscription channel. Hooray! Score one for the good guys - that's one less tool hackers, Myspace Trolls and crapflooders can use to game the system.

One down, plenty to go....

...yikes. Seems like Facebook added in a live chat facility a couple of weeks ago - the first I knew about it was on Saturday when I had an endless stream of people popping up handing me an endless set of variations on the word "Hello".

Incredibly annoying, and you can laugh if you want, but I couldn't work out how to switch the accursed thing off. What did I do? Easy, I simply shut down Facebook altogether and did something else instead. We've all seen killer apps before, but it's been a while since I saw an app kill off the desire to use the parent website.

Anyway, FaceTime products allow you to control exactly what Facebook applications are allowed for use in the workplace - which I think is pretty nifty, personally - so I was curious as to whether or not we had measures in place to lock down this chat feature too. Well, one quick check fired from the UK to the States and back again (via a quick stop-off in Bangalore) and the answer is that yes, we do provide lockdown for this application if so desired.

I never thought I'd feel smug about being able to lock something down on a website, but wow - there you go. Of course, that's great for enterprise customers, but what about home users? Well just in case you don't know, the answer is as simple as clicking the "Chat" option at the bottom of your browser, then hitting "go offline":

...problem solved. If you want to see exactly how big a deal Facebook applications have become, check out this link on the GreynetsGuide. We secure and control every application listed there, which is frankly terrifying but there we go. For now, feel happy in the knowledge that you won't be dragged into a hundred conversations from some random person you added simply because they knew a friend of a friend of a friend.....

Remember, kids - don't mix alcohol and executables.

Run the program, and you end up with a devastatingly idiot proof phish creation tool. In a nutshell, you enter the URL of the site you want to target and also the place where your phish script is located. It sucks down the content of the target site and jumbles it up with your phish script - hey presto, one Phish page ready to roll.

Facebook...

Myspace...

And, just to show that it will suck down pretty much any site you enter, here's Google search engine...

On the bright side, this one doesn't come with spoken help files...