CyberInsecure.com

Archive for the ‘Phishing’ Category

The Foreign and Commonwealth Office (FCO) has warned Brits and others to ignore a phishing scam currently circulating around the internet.

Scam emails attempt to trick users into submitting personal data, in exchange for a chance to benefit from a fictitious “Recession Relief Programme Fund”. The bogus emails purport to come from Foreign Secretary David Miliband and feature subject lines such as “Global economic crisis relief aid”, as explained in an FCO warning here, issued on Monday.

The stimulus package announced by government leaders at the G20 conference last month makes the attempted FCO-themed fraud timely, without making it any more plausible. Most internet savvy users would smell a rat a mile off, but it only takes a tiny fraction to respond to make the ruse worthwhile for cybercrooks. Trend Micro notes the ploy is similar to “Obama Stimulus Check” scam emails spammed out in January.

Phishing scams began as an attempt to trick the gullible into handing over login credentials for online banking or PayPal accounts under the guise of security checks.

Over the years the brands targeted by such attacks have expanded to include a much wider range of e-commerce outlets, and more occasionally, as with the latest example, posing as messages from government departments. Government-themed phishing scams used to offer tax refunds but now we’re seeing examples of supposed grant offers, another sign that fraudsters are adapting to the recession.

Phishing scams in general are more frequently targeted towards consumers, but businesses are not immune to getting taken to the cleaners either.

Credit: The Register

The Federal Trade Commission is warning against the boom of new online scams that promise government grants to aid cash-strapped consumers. Cybercriminals, as expected, are jumping in the economic recession bandwagon. Trust these fraudsters to take advantage of and cash in on the global recession.

These include spammed email messages containing links to websites purported to provide information on how to qualify for the economic stimulus package. These sites download spyware into the affected user’s system instead.

Sample spammed message:

A number of malicious websites could also be posing as pages of government agencies, some complete with logos of various news networks, or even a photo of a smiling President Barack Obama urging users to claim their “free grant money.”

These sites promise free information on how to avail of the stimulus money in exchange for a user’s personal information, including name, employment status, salary range, and bank account details. These information are needed supposedly to gauge whether the prospective victim is qualified for a grant but in reality, scammers and phishers sell these stolen credentials in underground markets or use them to hack into bank and other online accounts.

The FTC is advising individuals who have divulged their personal and banking information to such sites to check their bills for unauthorized charges. Trend Micro continues to monitor the Web for recession-related threats as cybercriminals are expected to ride on the popularity of this global concern.

Credit: Ailene Dela Rosa, Technical Communications, Trend Micro

During the Gmail downtime experienced yesterday cybercriminals managed to squeeze in an attempt to distribute malicious files to unknowing users. During the downtime, searches for the string “gmail down” yielded a Google Group page also named Gmail down as the top result. The page was found displaying a banner with images related to pornography, which then pointed to a pornographic website. According to Trend Micro Researcher Loucif Kharouni, links in the said webpage also lead to malicious files.

The link “Really young good looking teenager-547b4.html” redirects to two different URLs. First, the URL hxxp:// {BLOCKED}worldx.com/software/f352d5ac52/10410/1/Setup.exe prompts the download of a file detected as TROJ_PROXY.AEI. TROJ_PROXY.AEI drops two files—a BAT file and a DLL file. The BAT file is used to load the DLL file, which in turn modifies the registry entries related to proxy server settings. This causes the results to user queries to be redirected to remote sites mostly related to advertising.

The second URL, hxxp:// {BLOCKED}cktube.com/new/n/Exclusive+Free+porno/3913744, leads to the download of a malicious file detected as TROJ_AGENT.FAKZ. The link “The Dark Knight torrent.zip” leads to the download of the BAT file main_movie_torrent.bat. The said file modifies the attributes of the following files: c:\autoexec.bat, c:\boot.ini, c:\ntldr, c:\windows\win.ini.

It displays a popup message stating “Virus Activated,” then deletes the abovementioned files, which are all critical files related to loading Windows. After doing so, another pop-up message is displayed, this time stating “Computer Over. Virus=Very Yes.” The computer will then shut down after 10 seconds, and will no longer be able to boot into the operating system. This file is now being studied for detection. Please stand by for updates.

The said Google Group was already deleted, and was reported up for about 25 minutes. This incident serves proof of how keen cybercriminals’ instincts can get in seeing opportunites to distribute their malicious files.

Hours after the blackout, Gmail users were also hit with a widespread phishing attack. The malicious message spread via the Google Talk instant messaging chat system, urging users to a video by clicking on a link connected via the TinyURL service. The link points to a website called ViddyHo, which invited users to submit their Gmail usernames and passwords. The attack was more plausible because malign messages came via the instant chat system built into Gmail rather than by email directly.

TinyURL has blacklisted the site, rendering the attack inert, but that action is too late for those duped by the ruse, who now need to act quickly. “If you think you might have been duped, make sure you change your Gmail password immediately otherwise your entire address book and all your correspondence, including information that you may have archived about other online accounts, will quickly become rich pickings for the hackers,” warned Graham Cluley, senior technology consultant at Sophos.

Victims were urged to change their passwords before hackers have a chance to abuse their webmail account.

Credit: JM Hipolito, Technical Communications, TrendMicro

Credit: Graham Cluley, Sophos

RSA FraudAction Research Lab discovered yesterday a social engineering scam designed to lure people, via an email spam attack, to a fake news website designed to look like CNN.com. This “Cease-Fire Trojan Attack” attempts to bait readers leveraging recent news and “graphic and striking” images regarding the Israel-Hamas conflict in Gaza.

The result of this attack is the infection of computers with a Trojan. The fake website is designed to look like CNN.com, but is not a legitimate CNN.com webpage nor is it associated with CNN, its parent company, or its affiliates in any manner.

The scam is yet another example of how adept fraudsters are in engineering attacks with near real-time response to breaking news. It also underscores the opportunistic nature of fraud purveyors who increasingly prey upon public interest and/or concern regarding national or global events of broad importance (such as the recent global economic crisis or the U.S. presidential election).

Infection by the Trojan is accomplished via a silent “drive-by-download” infection kit such as Neosploit, or via social engineering. If the Internet user clicks on the link within the email, they are directed to the fake website. The fake webpage designed and hosted by the online criminals, is embedded as a link within the spam attack email. This fake webpage includes another link to what appears to be a legitimate video but is actually a form of crimeware. When visitors click on the video, they get an error message asking them to install Adobe Flash Player 10 in order to play the video, and a link is provided. The associated and completely fake download is not a product of Adobe or its affiliates in any way.

The Trojan that is launched when the link to the fake software installation is accessed is called a Trojan “SSL stealer” that captures financial and personal information of the infected user found on their computer. This particular Trojan is not new or a newly advanced piece of crimeware. What is new is the socially engineered application of this Trojan that exploits users concerned about the recent events in Gaza.

Users should ignore unsolicited emails that ask them for personal information, or entice them to look at something interesting online - even if it seems “normal”, like an email from a friend, financial institution, or a social networking website.

RSA initiated the shutdown process to take down this attack and the site went offlie on the night of January 8th. The domain, as usual, was hosted in China.

Researchers have uncovered a weakness in the internet’s digital certificate system that allows them to forge counterfeit credentials needed to impersonate virtually any website that relies on the widely used security measure. Using more than 200 PlayStation 3 game consoles, the researchers are able to create a secure sockets layer certificate for any website of their choosing. The forged certificate causes all the major browsers to display a message indicating the website the user is visiting is legitimate because it’s been vetted by a trusted certificate authority using supposedly robust cryptographic measures.

Such attacks could make it easier for phishers to impersonate the sites of banks and other sensitive online services. The findings were presented Tuesday at the 25th annual Chaos Communication Congress in Berlin by researchers from Centrum Wiskunde & Informatica (CWI) in the Netherlands, EPFL in Switzerland, Eindhoven University of Technology (TU/e) in the Netherlands and independent labs in California.

The attack is based on known weaknesses in the cryptographic hash function known as MD5. In 2004, researchers from China showed it was possible to generate the same MD5 fingerprint for two different messages using off-the-shelf computer hardware. Three years later, a separate group of researchers - many who participated in Tuesday’s presentation in Berlin - built off of those findings by showing how to have almost complete freedom in the choice of both messages.

The latest findings take the known MD5 weaknesses a step further by showing how so-called collisions allow for the creation of valid digital credentials used by certificate authorities, which are appointed organizations that validate the authenticity of websites used for banking and other sensitive online activities. Once the researchers have generated the rogue certificate authority certificate, they can create SSL certificates for any site that will be accepted by just about any web-connecting device.

The vulnerability in the web’s SSL system is made possible by a handful of certificate authorities who continue to rely solely on MD5 to sign certificates. Even though the number amounts to a tiny fraction of authorities, all web browsers continue to accept MD5 hashes. The researchers didn’t identify the certificate authorities by name.

The researchers began their proof-of-concept attack with more than 200 PlayStation 3 consoles running in a Linux cluster, which they used to generate millions of possible certificates. Once they found a pair that had a special collision in the MD5 hash, they requested a legitimate website certificate from one of the authorities that relies only on MD5 to generate signatures.

After copying the signature into a rogue certificate authority credential, they had the ability to generate widely accepted website certificates for any site of their choosing.

To prevent misuse of their certificate, they set it to expire in 2004, so only machines that are badly out of date can be tricked by their attack. Still, Appelbaum says, it should now be clear that MD5 is irretrievably broken and can no longer be trusted.

Credit: The Register

Phishing fraudsters are attempting to scam deceivable users into handing over their credit card details on the basis of a supposed offer from McDonalds.

The scam relies on spam emails to trick users into answering a fictitious satisfaction survey that offer a non-existent reward of $75. After completing the quiz prospective marks are asked to hand over their banking details in order to receive their reward. It includes name, email address, credit card details. Crooks will doubtless go on to either use this information to fraudulently buy goods or, more likely, sell it to others in the digital underground.

This isn’t the first time a bogus survey has used in a phishing attack. Surveys related to Wal-Mart, American Airlines, and even U.S. President-Elect Barack Obama were previously used to collect personal information from potential victims.

Also, similar to this phishing attack on McDonald’s, all surveys promised some form of reward to anyone who will participate on the survey. This clearly shows that cyber criminals are taking advantage of users’ tendency to try and save up as much money as they can, especially this holiday season.

Credit: Aivee Cortez, Trend Micro Malware Blog

Online thieves managed to penetrate the defenses of Pamela Systems by exploiting a security hole in an unnamed application the website uses, according to Dick H. Schiferli, Pamela’s founder and CEO. Pamela is a piece of software that manages Skype users online phone accounts. The users who use this software should be on the lookout for customized phishing attacks due to hacked user databases containing names and email addresses.

The attack, which took place last week, has already led to one phishing campaign that calls recipients by their real names and then tries to trick them into turning over personal information. That added personal touch could throw some users off guard because most phishing emails address their marks by generic terms such as “Dear PayPal User.”

It is unclear how many of the site’s users had their information stolen, or how many users have registered with his site. Pamela boasts 4.5 million downloads, although the number of registered users is probably much smaller. Schiferli said his team was still in the process of contacting customers whose information was stolen. “This is our first experience with something like this,” he said. “We’re taking this very seriously. We contacted PayPal last week.” So far, they’ve yet to get a response.

The breach could prove valuable because ostensibly everyone in the user database uses Skype. That allows fraudsters with important leads and information to tailor scams.

Credit: The Register

Kardphisher Trojan, which was first spotted in the wild in April 2007, is a malware that is mimicking the Windows XP activation interface while collecting the credit card details the end user submits. In the new version there are significant changes to visual interface and usability of the trojan, consequently improving its authenticity.

When a gullible end user falls victim into this social engineering attack, the credit card details end up automatically into an IRC channel specifically set for that purposes. Some of changes in the new version include more legitimately looking color scheme, improved restrictions making it much harder for the end user to close the application without submitting their credit card details, built-in validation of credit cards and email, next to displaying the current product key to make the application look more legitimate.

Once the user enters all the validated data, the new version of the tool automatically removes itself as if the activation was successful. A bogus “verified by Visa” message will then request social security number and a date of birth, which makes the trojan the perfect tool in the hands of identity thieves relying on nothing else but plain simple social engineering impersonation of Microsoft.

Systems affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP. Once executed, the Trojan creates the file keylog.dll and creates the following registry subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\soft2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr
HKEY_CURRENT_USER\Software\sft\c

The Trojan will shut down the compromised computer if the user does not enter their credit card numbers and prevents the user from running or switching to another application or task manager. Stolen information to be sent to http://81.29.241.170/in.*******.

As PayPal celebrates its 10th anniversary this year, the Trend Micro Blog reports a phishing website that uses the occasion to lure users into it’s trap. This fraudulent site informs online visitors that PayPal is throwing a party to celebrate the anniversary, supposedly as a way of letting it’s customers know how much PayPal appreciates their support.

The website looks very much like a typical PayPal page:

It informs recipients that they are invited to the party, where there will be “plenty of fun, food, free flow drinks, music and dance” - and also some cash prizes as well. Like typical invitations, the page asks users to RSVP. To do this however, they must fill out a form first, and there phishers are able to steal user information.

Users who visit this site are asked for their first and last names, telephone number, country of residence, and most importantly, their PayPal email address. The page also has a non-mandatory eBay ID box. Filling out the form compromises victims accounts because phishers may then be able to access these themselves.

Security researchers at RSA’s FraudAction Research Lab have uncovered how a banking Trojan may have stolen the login credentials of as many as 300,000 online bank accounts. The Sinowal (AKA Torpig or Mebroot) trojan has also stole email and FTP account login details. Previous attempts to track the source of the Trojan were unsuccessful.

The haul of bank, credit, and debit card account numbers stolen by the Sinowal trojan is among the largest ever discovered. The program has been operating non-stop for almost three years, an unusually long time in the fly-by-night world of cybercrime.

One popular theory is that the malware authors behind the trojan are in the same gang as the group who ran the infamous Russian Business Network (RBN). RSA’s analysis suggests that the authors of Sinowal may have been at least affiliated with the Storm worm gang in the past but are now running the malware through hosting facilities unaffiliated to the RBN.

Sinowal has only managed to become more productive over time. In the past six months, it has compromised more than 100,000 accounts. Since February, the number of variants has spiked, from fewer than 25 per month to more than 70, according to RSA. The increase helps the malware evade detection by anti-virus programs.

In all, the trojan has infected at least 300,000 Windows machines and stolen 270,000 online banking account numbers and 240,000 credit and debit credentials. Unlike many trojans, it doesn’t rely on tricking the end user into clicking on a link or file to get installed. Rather, it spreads silently via websites that prey on unpatched vulnerabilities in the Windows operating system or in third-party applications, such as Adobe Flash and Apple’s QuickTime media player.

“This particular trojan can get installed without even awareness of the end-user that they have agreed to anything or that anything has been installed,” Sean Brady, manager of identity protection at RSA, said in an interview. Sinowal sits dormant on a machine until a user points a browser at the website of a bank or other financial institution. Then an HTML injection engine adds fields to the website’s login page that prompt victims to enter social security numbers, passwords, and other credentials. Once entered, the information is transmitted to a server under the control of the malware authors. The injection mechanism is triggered by more than 2,700 different web addresses.

It then hides itself on a computer’s master boot record, making the infection extremely difficult to find. About the only remedy for victims fortunate enough to learn they are contaminated is to reformat their hard drive and reinstall their operating system.

RSA is in liaison with computer emergency response teams and other appropriate parties in an effort to take down the network controlled by the Sinowal trojan. The malware, variants of which first appeared in 2006, takes considerable pains to conceal its presence on compromised machines.

In addition, the communication infrastructure behind the trojan is sophisticated and well maintained. Little is known about the group responsible for Sinowal, but at least one clue suggests the group has ties to Russia: While the trojan targets institutions in dozens of countries in North America, Europe and Asia, none were located in Russia.

“The creators of the Sinowal Trojan periodically release new variants and register thousands of Internet domains for its communication resources. The purpose of this is to maintain the Trojan’s uninterrupted grip on infected computers,” a posting on the RSA security blog explains.

RSA has shared the data it discovered with affected banks in the hopes they will notify customers who are infected.