Just a note that - I was my own guinea pig. I presumed that the Chilean source-server was identical to the Romanian one, so rather than dangerously clicking on the URL in the email (which would have obviously handed my computer to the "loader") I went instead to the domain server directly, to see if it also self-identified as being slaved to TeamViewer software. Rather than just say so (which the Romanian server did) it proceeded... while showing a blank screen... "load" I immediately yanked my Ethernet cable and killed the page, with hopes that it didn't get its packet into my machine and was only able to use those few seconds to scan for my Operating System (OS). However, for a modern computer a few seconds are aeons and enable multiple back-and- forth conversations and exchanges of data. Certainly it got my machine ID and domain address for future reference... not a good thing. My laptop (from which I'd done this... with all firewalls up and all external drives disconnected) immediately began to act a little dodgy. The rest of the afternoon was marked by a duplicate RealPlayer Downloader jumping in and acting in tandom (in other words - duplicating and parallel downloading) every clip I encountered on the Internet for the rest of the afternoon, ie. newsfeeds. So I drilled down into my own applications and discovered a new version of RealPlayer had been loaded, lacking the proper shell but still very functional. With some effort I rooted it out plus its accessory- after-the-fact RealPlayer downloader. Mind you, I'm on a Mac... so this again points to the fact that this entire gambit is very well- financed, sophisticated and probably for some higher (meaning more nepharious) ends than simply generating spam for somebody. Given that the Facebook "clickjacking" attack involved forcing a short movie clip down the Internet into the waiting arms of the duped consumer (who sees it as a reward for successfully connecting to a "friend") it makes sense that this is the form the toxic software trojan has taken. If any of you got the faked email and innocently visited the Facebook "security update" page in the past, check your RealPlayer for duplicates. (Not finding one does not mean you are scot-free, it may have dumped your old version for itself.) The best strategy might be to uninstall all RealPlayer-related software and re- install directly from REAL... if you can. I had pulled up my Activity watching software and noticed unnecessary activity out of RealPlayer, which went away after I put the offender into the trash. However, I don't trust that I've gotten the last dregs of the worm out... so I printed out an activity log from noon yesterday to midnight yesterday (via the Mac utility called "Console") and will take it to a super-savvy friend for analysis. There seem to be an inordinate number of partially-loaded pages and inappropriate (rejected) commands and calls during a narrow timeslot in the afternoon which roughly coincide with the dropping-in of that toxic packet. What a difference a few seconds make. Beware, beware. There seems to be badness afoot and I suspect the other shoe is yet to drop. Michael Cerulli Billingsley Straight Arrow Recordings 802-254-3975/380-6408 The Cotton Mill, Brattleboro, Vermont Location Recording - CD Mastering - Sound Solutions/FX On 30 December 09, at 11:02 AM, Lisa Sieverts wrote: > Thank you, Michael, for sharing this valuable information. > Lisa > > On Tue, Dec 29, 2009 at 11:05 PM, Michael Billingsley > <michaelb at sover.net> wrote: > ** Be sure to fill out the survey/skills inventory in the > member's area. > ** If you did, we all thank you. > > > > Dear H-T'ers > > I appreciate the sincere attempts to "decode" my first post on this > subject, and the heartfelt and sage advice that A) one should never > give one's password to an unknown respondent and B) one should > avoid visiting websites mascarading as one's favourite social > networking provider, asking you to re-set or provide personal > information. > > All well and good. > > My notice was that the original "faked" Facebook member security- > upgrade announcement was sourced by as server in Romania... pre- > loaded with PC-jacking software... may have escaped attention, but > I will reiterate. Now that same "crew" of criminals has re-sent a > second round of bogus and equally high-quality "upgrading your > Facebook security" notices on Christmas Day - this one sourced > (ultimately) from a server in Chile. Again the package was very > high-class... and any visitor to that website just to see what it > might be about immediately will be sniffed (to determine your OS) > and then become loaded with a software packet. No asking for > passwords. No security questions. Just simply visiting the > webpage will lead to your computer being compromised. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.hidden-tech.net/pipermail/hidden-discuss/attachments/20091230/bcba6fb1/attachment.html