CyberInsecure.com

Archive for the ‘Phishing’ Category

A spam campaign that sends personalized phishing emails through Yahoo! Groups has recently been reported by TrendLabs researchers, Jake Soriano and Grace Ermitanyo (who provided detailed analysis about this attack). Phishers appear to have sent phishing emails through Yahoo! Groups via either the standard posting methods through Yahoo! Groups site’s Post Message feature or through sending an email to the group’s @yahoogroups.com address. Thus, users who receive this email from a Yahoo! Group (of which they are members) are likely to believe that it is legitimate.

The success of this phishing attempt further depends on how the group mailing list is actually moderated. There are settings in Yahoo! Groups spam abuse prevention that allow the moderator to approve all messages before they are sent out to members.

The phishing email provides a link that redirects the recipient to a website with a fake form. The form steals user identities by gathering personal and sensitive user information, such as phone numbers, PINs, passwords, account numbers and debit card numbers. These details are sent over to the phishers who may then peruse the information themselves or sell them in underground forums to cyber criminals.

In one particular case, clients of the Royal Bank of Scotland (rbs.co.uk) are targeted. In phishing email the URL is different from the actual bank domain and redirects to rtsrv.co.uk.

Moderators of Yahoo! Groups are advised to read about their options related to keeping their members safe from spam and phishing attempts at the Yahoo! Groups FAQ on spam abuse prevention.

UK Home Office crime reduction website (crimereduction.homeoffice.gov.uk) was hacked on Monday. The attackers used the hacked website to host an Italian phishing website. Remote file inclusion exploit was used to launch the phished page off the web server hosting Crime Reduction website on homeoffice.gov.uk. As a result of the SQL Injection attack a page resembling the www.poste.it site was served up so that it appeared to come from the homeoffice.gov domain. Poste.it is a website of an Italian bank and is a frequent target of phishing attacks.

According to net security firm, phishing fraudsters used the POST method so that phished data submitted by victims was sent to them. It is unclear why they picked a government page located in the UK to host a phishing attack. Usually phishers pick or register a domain name for the fake website that looks as much as possible to the original website to confuse the victims.

The Home Office pulled the rogue content from its site early on Monday morning. This attack is another example of cybrecriminals abusing security exploits on trusted websites to serve up fraudulent content such as fake phishing pages or install malware. Home Office crime reduction website joins a long list of other UK government sites and US Department of Homeland Security website that were abused by attackers during last months. The fact this time it is a crime reduction website should be extra-embarrassing for this British government department.

Phishers have started targeting users of Apple Inc.’s iTunes music store with sophisticated identity theft attacks. According to e-mail security vendor Proofpoint Inc., many users recieved spam with messages telling them that they must correct a problem with their iTunes account. A link in the spam leads to a site posing as an iTunes billing update page.

This fake page asks for information, including credit card number and security code, Social Security number and mother’s maiden name. The theft attempt is a new addition to companies and brands like like PayPal, eBay and Citibank, which are constantly attacked by phishers.

Users who receive an e-mail with a link to a site requesting personal financial information, should be very cautious about proceeding. Bookmark or type in the URLs for sites containing financial information, such as your bank or e-commerce sites like iTunes. Never visit the links you receive in an unsolicited e-mail.

A new phishing attack circulating via email messages that claim to be petitions from the US Tax Court. The messages appear to be legitimate because they may contain very specific information about the message recipient. Messages request the the user to follow a link to download additional information about the petition but in reality malicious code may be installed on the system if the victim clicks this link.

According to United States Tax Court, many telephone calls were received with reports regarding an e-mail which purports to originate from the Court being sent by a practitioner member of the Tax Court. The Tax Court is not distributing any e-mail notice to anyone who currently has a case. E-mails with a subject line that includes the text, “US Tax Petition”, along with am incorrect docket number following the format #123-456, and a sender address of noreply@ustaxcourt.org or complaints@ustaxcourt.org, should be ignored.

Users are advised not to follow unsolicited web links received in email messages and run anti-virus software with virus signature files up to date.

Google Adwords account holders are being targeted by criminals who trick them into handing over credit card information using a URL spoof has gained popularity in recent weeks.

The scam follows a traditional attack route involving the sending of spam emails to random Internet addresses in the hope of finding users who have purchased Adwords. The email claims that the user’s account payment has failed and asks them to “update payment information”, again a transparent tactic by today’s standards.

Proper looking http://adwords.google.com/select/login link embedded into email, a correct Google login address. However, it actually leads to http://www.adwords.google.com.********.cn/select/Login, an obfuscated address that directs to a site associated with IPs in Germany, Romania, and the Czech Republic.

The site is a good copy of the real Google Adword site, and appears to let users login using their real account details. Obviously, any account details will work. Entering payment details results in that information being posted using an SSL link to a remote server after which the account will be hijacked.

The attack has been publicized by security software company Trend Micro, but the disarmingly simple scam is widespread enough to have been received by ordinary users in recent days. The latest phishing attack bears a strong resemblance to a near-identical campaign launched a few weeks back by Chinese criminals.

As common as “account update” attacks have become, the spoofed URL is still the key to reeling in victims. Criminals seem to have realized that users are paying more attention to such details.

Sunbelt issued a warning for several sites that are spelled closely like the real Microsoft owned websites. These URLs could be used in future phishing or targeted attacks, as they closely resemble the true Microsoft naming conventions.
Recent Windows XP SP3 news buzz probably gave attackers an idea how to trick users into installing “necessary updates” or even “latest Service Pack 3″ which are nothing but information stealing trojans if you choose to install them from those fake domains. If you get lucky, your PC might even become a part of some notorious botnet.

Most of the URLs are plural (e.g., microsofts or microsoftes). Please do not attempt to go to these sites, as malware could be automatically and silently installed on vulnerable PCs.

A list of fake Microsoft looking domains and their IP addresses:

70.84.192.228 freeadobes.com
70.84.192.228 updates-microsofts.com
70.84.192.228 updates-microsofts.com
70.84.192.236 free-microsofts.com
70.84.192.236 registry-great.com
70.84.192.236 registrygreat.com
70.84.192.236 registrygreat.net
70.84.192.229 updates-xp.com
70.84.192.229 updatemicrosofts.com
70.84.192.230 microsofts-updates.com
70.84.192.230 updates-all.com
70.84.192.230 updates-microsofts.net
70.84.192.230 update-microsoftes.com
70.84.192.230 update-microsoftes.com
70.84.192.231 www-microsofts.com
70.84.192.232 perfect-uninstall.com
70.84.192.232 uninstall-free.com
70.84.192.233 dellupdates.net
70.84.192.233 updates-os.com
70.84.192.233 updatesmicrosoft.net

Visiting suspicious URLs and performing any actions on websites mentioned in emails from unfamiliar senders will most likely result an attempt to infect your Windows system.

Phishing attacks on consumers from UK have more than doubled for the first quarter of this year, according to Apacs, the UK payment association. The number of recorded phishing incidents for the first quarter of 2007 was 3,394, an increase from 2,369 in the first quarter of 2006.

Apacs recorded more than 10,000 reported phishing incidents in the first quarter of 2008, more than 200 percent up from the same period last year. An evidence shows that users are becoming somewhat more sophisticated with regard to phishing attacks: the proportion of phishing targets either deleting phishing messages or taking no action over them increased from 75 percent in 2006 to 82 percent last year.

Online banking losses due to fraud have decreased by one-third from £33.5m in 2006 to £22.6m in 2007, Apacs said, but efforts to defraud users have climbed steadily. Although online banking fraud losses fell last year, the fraudsters clearly aren’t giving up. Phishing scams are continuing to rise and they are becoming ever more sophisticated.

The dramatic rise in phishing figures could also be due to increased awareness on the part of users. Apacs found that 93 percent of users now have anti-virus software installed, but this figure falls to 71 percent for anti-spyware software.

It has noted a significant spike in consumer concerns over phishing in recent months - which is another indication that, at least, users are growing more aware of the problem.

Spammers have found a fertile new marketplace on social networking sites such as Facebook and MySpace. Fortinet, a security research group warns about hijacked Facebook accounts posting deceptive messages on Wall.
Like most social networking sites, Facebook has a “Wall” feature, allowing users to post comments on friends’ profiles. This is currently being exploited by spammers to post deceptive messages, linking to typical spam sites such as (but perhaps not limited to) online “pharmacy” shops.

Spammers are using genuine users profiles to disseminate these messages and are buying or ‘renting’ these identities from online thieves. Account of a user who was verified to not be a spammer getting hijacked by identity thieves. It involves phishing attacks, deceptive messages that attempt to trick users into handing over their login credentials to hackers. A phishing worm was spotted spreading on Facebook earlier this year and both incidents may be related.

The Fortinet Global Security Research Team advises social networking site users to be wary of phishing attempts: when confronted by a login page or upon clicking a link contained in a friend’s message, carefully check the login page URL. Legitimate login pages are hosted on the original social site domain (here, Facebook.com), while rogue login pages cannot be. Mental tricks may sometimes be utilized to trap users, for example, Facebook.com.xiefbnh.cn, Facebook-login.com, Facebopk.com, etc.), as it is frequently the case in phishing schemes.

Please note that although this has been rarely seen on Facebook so far, it is fairly common on MySpace. One of the spammed links has been confirmed to resolve to a web host that also serves content for several pill pushing sites, involved in a criminal fraud ring. Included in this ring are pharmacies from Canada.

Spambots on MySpam have recently begun using more sophisticated techniques, net security firm Websense reports. Malformed profiles are created in such a way that they hide all of the real MySpace profile areas. Surfers clicking on these expecting to view pictures or messages are instead met with content from spammed sites or worse.

This technique can easily be adapted for malicious purposes, such as drive-by installers, MySpace phishing, and so on. MySpace has a built-in security feature to catch form submissions to other sites. However, it seems to be reliant on a ‘Submit’ button being present to trigger the form. Having the warning there is a good, proactive security measure, but if the warning is bypassed, then it does no good.

Beyond that, wall posts containing links must be handled with care. While hijacked accounts have not been proved to be utilized for anything beyond posting relatively innocuous spam, it is not a stretch to think that links to drive-by-install malicious sites could be injected at some point. Following links contained in wall posts is therefore not recommended.

Another phishing Web site attempts to steal confidential credit card information. Using string manipulation, it is able to spoof the official Web site of the Royal Bank of Canada. Note that the said URL contains a variation on the actual domain name (”banking” vs. “bank”) to trick the users into thinking that it is the official Web site of the affected bank.

Screenshot of the phishing website, click to enlarge:

The spoofed URL masks the actual phishing URL by using a certain frame source. This frame source URL is responsible for gathering account-related information, such as credit card numbers and account passwords, from the affected users.

When the first frame source URL is blocked, a second frame source is used. The next time the phishing Web site is visited, it already uses another frame source URL. This is clearly a distinct approach in circumventing security restrictions related to phishing attacks.

The domain used by this phishing Web site is registered for just one year, which is highly unlikely since legitimate websites intend to operate for longer than that.

Security experts at Webroot Software report seeing a new wave of keyloggers (programs that secretly record every character you type), system monitors, and viruses leading up to prime tax filing season. Webroot’s Threat Research Team says that more than 1200 new key-logging programs and 336 versions of system monitoring spyware have been found and defined in the past month alone. Several states warn that con artists have already begun the highly publicized rebate checks associated as a ploy to get you to divulge personal financial information.

The increase might be explained by the fact that fewer taxpayers are using old-fashioned paper forms for preparing and submitting their taxes. According to Webroot’s figures, a record 22 million taxpayers filed their taxes from a home computer last year, up 11 percent from the previous year. Scammers know this and figure that your identity is especially vulnerable to theft when you’re filling out your tax documents with a software program or filing them over the Internet.

Federal government expects to issue economic stimulus rebate checks sometime in May or June. IRS refund checks typically arrive within three weeks of the date when you e-file your return. Some fraudulent e-mail messages contain links to fake government Web sites that request your Social Security number and bank account numbers so that the IRS can process a rebate check. If you resist disclosing the information, the site informs you that you won’t be able to receive your rebate.

Another tax scam involves e-mail messages that target accountants, businesses, and individuals, notifying them of supposed changes in tax laws. These phishing messages direct the recipient to download “updated” tax documents that reflect the new tax laws. The IRS reports having received numerous complaints from people who have downloaded bogus documents to their computer, only to discover that the documents contained malicious code designed to transfer control over the PC to a third party. A growing number of tax-themed e-mail messages contain links to Web sites (not files for download) that attempt to install malware on the visitor’s PC.

WXYZ, the ABC television affiliate in Detroit, reported that a Michigan woman, Maria Mendoza, lost US$4000 when a crook stole her identity and then visited a local H & R Block office to file a tax return, posing as Mendoza. After submitting the return, the scammer asked to receive her $4000 tax refund on the spot, using a Block service called a Rapid Refund debit card.
(more…)

Recently Google Adwords and Google Adsense users are receiving phishing emails which appear to be from Google.

When you try to click on URL in email body you will be redirected to fake Google Adwords website and asked for user name and password. The information will be sent to malicious users who might try and abuse your account for their needs. Moving your mouse over the URL in the email will show you it’s a fake .cn domain. This fake website looks like the real Google Adwords website but there is no SSL cetrificate (no https:// in the URL, just http://).

The email looks like it has been sent from adwords-noreply@google.com address and the message subject is “Please Update Your Billing Information”. Message body says “Dear Google AdWords Customer! In order to update your billing information, please sign in to your AdWords account at https://adwords.google.com, and update your billing information.”

In case you are a Firefox user, you might get a warning about the site you’re about to visit.

Starting last year and until today, there were few exposed cases when spammers used Google pages ads in HTML-formatted emails in order to redirect users who clicked the URL to some bad sites, usually containing both spam and infected software, for example:

http://www.google.com/pagead/iclk?sa=l&ai=MfeNYS
&num=123456&adurl=http://www.infectedsite.com

Many considered a scenario where Google page ads were used to conceal the actual URL and avoid detection by traditional anti-spam techniques. However, it seems one can change the linked URL to point to any site of your choice, especially since no validation appears to be done on Google’s end.

Malicious user could also point the Google page ad to executable files (.exe, .pif. scr etc.) and some malware authors have started doing this and such link will redirect and download the malware without any problems or warnings. Although Google is very strict about the kind of file attachments one can upload/download via their Gmail service, anyone can craft a URL that looks like it belongs to Google (=safe?) and point it to download any software executable file. Here is a simple and safe demonstration:

http://www.google.com/pagead/iclk?sa=l&ai=MfeNYS&num=123456

&adurl=http://fpdownload.macromedia.com/get/shockwave/default/

english/win95nt/10.2.0.023/Shockwave_Installer_Slim.exe

Clicking this link will download Shockwave Player from Adobe Download Center.

Google probably aware of this redirect abuse by now, and it’s hard to understand why they don’t prevent these redirects working for known bad file types or for spam and infected/hacked malware sites.