CyberInsecure.com

Archive for the ‘Scams’ Category

A spam campaign that sends personalized phishing emails through Yahoo! Groups has recently been reported by TrendLabs researchers, Jake Soriano and Grace Ermitanyo (who provided detailed analysis about this attack). Phishers appear to have sent phishing emails through Yahoo! Groups via either the standard posting methods through Yahoo! Groups site’s Post Message feature or through sending an email to the group’s @yahoogroups.com address. Thus, users who receive this email from a Yahoo! Group (of which they are members) are likely to believe that it is legitimate.

The success of this phishing attempt further depends on how the group mailing list is actually moderated. There are settings in Yahoo! Groups spam abuse prevention that allow the moderator to approve all messages before they are sent out to members.

The phishing email provides a link that redirects the recipient to a website with a fake form. The form steals user identities by gathering personal and sensitive user information, such as phone numbers, PINs, passwords, account numbers and debit card numbers. These details are sent over to the phishers who may then peruse the information themselves or sell them in underground forums to cyber criminals.

In one particular case, clients of the Royal Bank of Scotland (rbs.co.uk) are targeted. In phishing email the URL is different from the actual bank domain and redirects to rtsrv.co.uk.

Moderators of Yahoo! Groups are advised to read about their options related to keeping their members safe from spam and phishing attempts at the Yahoo! Groups FAQ on spam abuse prevention.

According to Oregon State officials, credit card scammers may have defrauded 4,700 online customers of the school’s bookstore. In March, OSP began investigation into a report that approximately 30 OSU Bookstore customers’ personal information may have been compromised following online orders. Last week, telephone calls and e-mails began coming into the bookstore from customers who had noticed fraudulent charges on their credit cards almost immediately after placing online orders.

Bookstore servers were shut down when the security breach was discovered. The hackers tried different attacks on Bookstore website and evidently had found a vulnerability in it. The security breach appears to have originated outside the university, but where is unknown.

The Bookstore has alerted its online customers who had made a purchase and hired an outside agency to help with its own investigation and to provide guidance on strengthened security safeguards for its computing network.

Fraudulent selling of free avast! Home Edition anti-virus are made via several web sites, many advertised via the Google AdWords program. Scam websites are offering keys to free avast! Home Edition anti-virus and charging users as if it was for the paid version of Professional Edition. When email “invoices” are received by customers, there is no mention of avast! and instead there is a list of programs that the customer has never heard of, let alone agreed to buy.

Such websites are in no way associated with avast! developer (ALWIL Software), and have no way to issue licenses. Any money you spend with them will not allow them to issue a genuine paid-for license. One way to spot a fraudulent site is via a message at the bottom of the website, often in small lettering:

This website has no affiliation whatsoever with the owner of this software program, and provides ONLY a link to the software program.

Another way to spot these scam sites, is the fact that they will often make mention of offering a “lifetime” license or “Gold Package”. These packages do not really exist for the avast! anti-virus.

Here is a list of known scam sites. None of the below sites have any connection with ALWIL Software and are not authorized resellers of avast!:

www.downloadavast.com
www.avast-downloads.com
avast.free-software-center.com
www.avast-hq.com
www.downloadservicearea.com (DOWNLOADSERV.COM)
download-this.us/avast
www.DownloadAvast.com
www.Avast-Downloads.com
www.avast-2007.com
download-avast.com
www.avast-home.info
www.avasthome.info
www.download-zone-free.com
www.downloadsglobe.com/avast
www.freedownloadspace.com
www.free-download-center.com
free-program-download.com
www.freedownloadpage.com
avast-download-now.com
www.mysoftwaredownloads.com
IP-MyDowloadSite.com
www.thesoftwaremembersarea.com
www.downloadinghome.com
www.bundleway.com

“Download Assist (My Downloading)”, “Market Bill” and “mywebcs” might appear as payment descriptor on your credit card if you have purchased from one of these sites.

Some of those sites are offering free avast! Home Edition wrapped in a new installer which requires a premium rate SMS to be sent in order to gain a license key.

Avast! advises customers to contact their credit card issuer if they have purchased from one of these sites, and report the transaction as fraudulent. This will allow the credit card company to instigate a chargeback against the site, returning money to customers. Customers may also wish to contact their local law enforcement organization for statistical monitoring purposes. Customers who cannot confirm where their purchase has been made are encouraged to contact avast! sales if they have any doubts as to the validity of such purchases.

Spammers and scammers are always ready to jump on the latest disaster or big news headline to try and exploit users. This time its time to exploit the Chinese earthquake disaster, which killed more than 50,000, to push scams and malware spam.

In one report scammers sent out text messages enticing people to send donations to fund the aid for helpless victims. Today there was a report of spam message allegedly from a Filipino seeking financial aid to follow his wounded wife in China.

Here are the first and last portions of the long-winded letter designed to get merciful recipients to take action, i.e. donate money. It starts with:

Dear friend,

I do not know your exact name. I can only guess. I ask you to read through my letter up to the end.

And ends:

And still, if you will be able to help me I shall consider you to be the best man in this world. You will save a life of mine Jin. I shall write the data on which I will be able to receive cashes in Philippines through Western Union.

Next there are emails with infected Word attachments that include MalDoc-Fam Trojan. They being distributed in messages that pose as news about the disaster, net security firm Sophos reports. The malware-tainted emails typically appear with body text suggesting they contain news from China’s official press agency, Xinhua:

BEIJING, May 20 (Xinhua) — The death toll from the earthquake in southwest China’s Sichuan Province has risen to 34,074 nationwide as of 2 p.m. Saturday, while 198,347 people were injured, according to the Information Office of the State Council. Pay attention to attachment for more.

Opening the attached Word document triggers an exploit that downloads malware onto vulnerable Windows PCs. The MalDoc-Fam Trojan is more than a year old, dating from March 2007.

These schemes, much like during those that surfaced during previous tragedies, are surely only some of the many that will continue to use this ploy.

Recent reports tell that even the official Web site for donations to the eathquake victims in China, the Chinese Red Cross, has itself been hacked to divert donations elsewhere. Ironically, even if you carefully donate only to legitimate organizations, you can never be sure who will actually get the money nowadays.

Users should be extremely cautious in extending their help. If possible, keep a closer watch of who gets the donation and where it goes.

Another Trojan, discovered by Sophos, targets the fear of legally forbidden pornographic content and forces users into purchasing a fake anti-spyware/anti-virus application. The Trojan “Troj/FakeAle-BJ” installs an icon on the Desktop with the filename “CP illegal content.URL” and an bitmap image containing the text “CHILD PORN VIDEO”:

It also displays the following message:

Windows Alert

Critical System Warning! Your system is probably infected with version of Spyware.IEMonster.b. Spyware.IEMonster.b is spyware that attempts to steal passwords from Internet Explorer, Mozilla Firefox, Outlook and other programs, including logins and passwords from online banking sessions, eBay, PayPal. It may also create special tracking files to log your activity and compromise your Internet privacy. Spyware.IEMonster then sends stolen passwords and other sensitive information to a php script at a pre-specified website where the stolen details are logged. Click here to protect your computer (recommended).

The message is followed by a link that takes users to xpantivirussite.com website.

The Trojan targets users fears (as do almost all email and internet scams) and at this point most users will believe they’ve already clicked on something they shouldn’t have. For users who share a computer, having pornographic icons showing all over the Desktop is usually embarrassing, but when they contain the text “CHILD PORN” the impact can be much greater since it is an illegal content and might lead to a lawsuit if discovered. It’s not something most people would want to be associated with in any way, so they gladly click the link and go to xpantivirussite.com where they subscribe and purchase “XP antivirus”, a fake software that is hard to uninstall and most likely adds nothing but spyware/adware (and possibly a malware) to users Windows based system.

According to anti-spam firm Cloudmark, in six months leading up to March 2008, social networking sites saw a fourfold growth in the amount of spam on their networks. At several major social networking sites, 30% of new accounts created are automated fraudulent “zombie” accounts, designed to be used for spam and other malicious attacks. All the major social networks have a problem with spam with volumes of spam ranging from 15 to 30 percent.

The type of spam advertised through social networks is the same type as that advertised by email spam and punted by much the same people. There’s an implicit trust in social networking. People don’t think they’re going to be attacked with spam and since people don’t trust email anymore, spammers are just following peoples’ online habits.

Social networking spam can be messages between users or posts to walls or other similar applications. Social network spammers most often hijack accounts using fake log-in pages. Phishing-like tactics, password guessing and the use of Trojans to capture keystrokes are also in play.

Junk messages, rigged to appear as though they came from their friends, are more likely to be acted on by recipients on social networking sites compared to the same messages received by email. Social network spammers try to recruit friends by posting profile pictures that depict them as attractive young women. By recruiting people into their groups or networks it’s easier for spammers to subsequently send them spam.

Social networking sites are attractive targets for spammers and identity thieves, because of their large, technically-naive and thus easily duped populations of users. Educating users has a more important role to play than simply applying a technology solution to the problem. As long as gullible users fall prey to social engineering, the spammers and scammers will continue their attacks. In particular the predators are starting to use data-mining techniques to create spam lists, sorted on geographic and demographic criteria. Such lists are of premium value to spammers.

When people come to understand that open social networking carries real risks, not only their privacy but their pockets through identity theft, we can expect to see demand for much more compartmentalized social networking environments.

People who used their bank debit cards at a Lunardi’s Supermarket in Los Gatos have become victims of an identity theft scam.  So far 150 victims identified and the number is expected to grow, Los Gatos police Capt. Dave Gravel said.

An ATM and credit card reader in a checkout aisle at the Los Gatos Lunardi’s supermarket was recently switched, already resulting in more than two dozen reported cases of identity theft. Police received the first reports from victims who said their credit or debit cards had been used fraudulently on Sunday night and additional victim reports continued on Monday and today. Police believe the victims all had their card numbers stolen at the Los Gatos Lunardi’s, 720 Blossom Hill Road, after officials from Lunardi’s contacted them about a problem with one of their card readers.

The thieves transferred that bank information onto cloned cards - any card with a magnetic stripe can be used - and made cash withdrawals from ATMs in Southern California.

Recent shoppers of the Los Gatos Lunardi’s should check the status of their bank or credit card accounts for charges they did not make, according to police. Through an attorney, the Lunardi family, which owns the upscale grocery chain, also declined to discuss specifics about the technology used. In a statement, the owners said the chain “in no way wants to compromise the ongoing investigation by law enforcement authorities or to reveal details of our security measures which could counteract their effectiveness.”

George Silvestri, an attorney for Lunardi’s, said the chain has replaced the payment devices at all seven of its Bay Area locations with machines that are locked onto the checkout stands.

Lunardi’s employees with access to these devices have been trained in security procedures recommended by law enforcement and banking authorities. The thefts at Lunardi’s in Los Gatos comes about three weeks after police uncovered a similar scam at an Arco AM/PM in Los Altos.

Anyone who finds fraudulent charges on an account should contact the local police department or the Los Gatos/Monte Sereno Police Department at (408) 354-8600.

A malware called “MonaRonaDona” is using social engineering tactics and prompts users to enter the term “MonaRonaDona” into a search engine. This attempt leads them to an application that can remove the unwelcome threat - a fix that has obviously been conveniently provided by the very people who created the virus in the first place.

When the Trojan executes, it creates the file SRVSPOOL.EXE in the startup folder of all user accounts and displays the following alert on the compromised computer:

The threat will stop the following applications if their name appears in the Windows title bar and the title bar will also contain a reference to MonaRonaDona:

Date And Time
Windows Task Manager
Microsoft Visual
Windows Media Player
Winamp
Microsoft Office
Microsoft Excel
Microsoft Word
Windows Live Messenger
Registry Editor
Irfanview
Google Talk
Macromedia
Adobe

Once the user enters the name ‘MonaRonaDona’ into an Internet search engine, some of the top search results will be the “cure” that the malware. This fake cure is most conveniently created in order to solve the problem and charge US$39.90 for it.

Currently top search engine results highlight the fact that this is a scam and warn victims against downloading the Trojan author’s application created to remove the malware, which costs US$39.90. The website which provides it, Unigray, is down at this moment. While the software does in fact remove the MonaRonaDona Trojan - it is the ONLY malware it removes, despite the fact that it (falsely) reports to have cleaned over 200 other threats. These threats appear to have been randomly selected from the Symantec threat database.

Not surprisingly, the domain unigray.com was only registered on Feb 20 this year - and yet the product claims to detect 679,871 threats.

Symantec antivirus products detect MonaRonaDona as Trojan.Monagray and the Unigray software as misleading application “Unigray”.

InstallsCash partnership program offers the affiliates to put a short one line iframe code on their website pages. Next this hidden iframe would be used to silently redirect any visitor to another website to install via an MPack like process the affiliation program. Each successful installation made from the affiliate site would involve a payment.

To cover the tracks, the InstallsCash registrar is, of course, from China (bizcn.com). Fake registrant address is in the US (Iowa City) and the e-mail contact is a free webmail service that is popular in Russia (ydwrtyxamz_at_mail.ru). Obviously, this email account name was randomly chosen.

Subscribers of this “program” will be offered a list of allowed systems of payments. These systems are the regular ones used by online criminals. Having done that, one will be asked to wait for 24 hours until account activation.

After this period a subscriber will receive the IFRAME code, something like:

<iframe src=”http://**************610.php” width=1 height=1></iframe>

The iframe has to be hidden on subscriber’s website and point to some another website, using a strange name randomly chosen and created using a more or less automated method. It seems the affiliator creates or uses a different one for each affiliate. Thanks to these unique names, the software recognizes each of them. Data can be feed into their stats page and then they can calculate the payments.

Basically, subscribers are paid for unique loads of InstallsCash IFRAME, which means that whoever signs up for InstallsCash and installs their code, is infecting and redirecting visitors of his website using this invisible iframe code.

InstallsCash distributer admits and warns: “…they will be updating every 3 days and they will be invisible for every antivirus!”

Registrar is bizcn.com and registrant contact came with another random e-mail address:

Jan Dendinger ycsmmiqtyo_at_mail.ru
Phone +1 3196433xxx Fax: +13.196433xxx
309 East Main Street
West Branch IA 523581
us

It seems that behind InstallCash, IframeCash (September 2006) and IframeDollars (November 2007) are hidden the same people. In November 2007, the RBNExploit blog discussed that iFrameCash and iFrameDollars were possibly linked to the Russian Business Network. This confirms that RBN trading partners are still in business.

McAfee VirusScan blocks and detects the PHP script as JS/Exploit-BO.gen. Some additional files are detected as Downloader-BDH.

Security experts at Webroot Software report seeing a new wave of keyloggers (programs that secretly record every character you type), system monitors, and viruses leading up to prime tax filing season. Webroot’s Threat Research Team says that more than 1200 new key-logging programs and 336 versions of system monitoring spyware have been found and defined in the past month alone. Several states warn that con artists have already begun the highly publicized rebate checks associated as a ploy to get you to divulge personal financial information.

The increase might be explained by the fact that fewer taxpayers are using old-fashioned paper forms for preparing and submitting their taxes. According to Webroot’s figures, a record 22 million taxpayers filed their taxes from a home computer last year, up 11 percent from the previous year. Scammers know this and figure that your identity is especially vulnerable to theft when you’re filling out your tax documents with a software program or filing them over the Internet.

Federal government expects to issue economic stimulus rebate checks sometime in May or June. IRS refund checks typically arrive within three weeks of the date when you e-file your return. Some fraudulent e-mail messages contain links to fake government Web sites that request your Social Security number and bank account numbers so that the IRS can process a rebate check. If you resist disclosing the information, the site informs you that you won’t be able to receive your rebate.

Another tax scam involves e-mail messages that target accountants, businesses, and individuals, notifying them of supposed changes in tax laws. These phishing messages direct the recipient to download “updated” tax documents that reflect the new tax laws. The IRS reports having received numerous complaints from people who have downloaded bogus documents to their computer, only to discover that the documents contained malicious code designed to transfer control over the PC to a third party. A growing number of tax-themed e-mail messages contain links to Web sites (not files for download) that attempt to install malware on the visitor’s PC.

WXYZ, the ABC television affiliate in Detroit, reported that a Michigan woman, Maria Mendoza, lost US$4000 when a crook stole her identity and then visited a local H & R Block office to file a tax return, posing as Mendoza. After submitting the return, the scammer asked to receive her $4000 tax refund on the spot, using a Block service called a Rapid Refund debit card.
(more…)

Earlier today SophosLabs reported a new scam designed to fool users into viewing a web site where they would be hit with a malicious script that installs a Trojan. Several different spam messages alerting users to the supposed shooting of the e-Gold founder, for example:

E-gold founder, Douglas Jackson, 51, of Sheridan, Mont., was 4 times shot
and killed Friday night on the Seventh Street ramp at East Seventh Avenue by off-duty County Deputy Daniel Montana Jr.,
police said.

A spokesman for the Jackson’s family told Fox 31 that the autopsy
details show the shots came from 3 to 7 feet away and were fired at a level angle, not from someone lying on the ground.

The investigation is ongoing, said DA spokeswoman Pam Russell.

More details at ********.com

A variety of domains have been used in the scam. Browsing to each of the domains redirects to a malicious page on another server. This page contains a malicious Javascript which attempts to install a Trojan on the victim’s computer. This malicious script is pro-actively detected as Mal/ObfJS-B. The Trojan is detected by runtime HIPs protection as HIPS/FileMod-005. Specific detection for the Trojan and the files it installs has been added as Troj/Agent-GUJ in Sophos Antivirus.

This is yet another example of the attackers using a blend of spam and malicious web sites to infect victims. Such cases provide perfect illustrations of the need for quality security solutions, encompassing anti-spam, web content inspection, URL filtering and runtime protection technologies.

According to an Associated Press report, Saturday a pair of ads popped up on Craigslist advertising that the owner of the home had been forced to leave the area and that all of his belongings were free for the taking. The second of the two ads was more specific stating that a horse that had been abandoned by the sheriff’s department was free to anyone willing to give it a good home. This scam has left an Oregon man, Robert Salisbury, without most of his belongings. Robert, the owner of the home and horse, was out of town and completely unaware of the Craigslist ads and that his house was being cleaned out.

When a woman tracked Salisbury down and called him to claim his horse Salisbury rushed home. He even stopped a truck full of his possessions on the way home. “I informed them I was the owner, but they refused to give the stuff back,” Salisbury to the Associated Press. “They showed me the Craigslist printout and told me they had the right to do what they did.”

Preventative measures to confirm legitimate Craigslist ads, or all print or online classified ads, would be costly, and ultimately ineffective since the phony advertiser could provide confirmation without Craigslist knowing the difference. Besides, isn’t there the old saying “don’t shoot the messenger?” But now that the scam has been revealed, I think it is Craigslist’s responsibility to help track down and turn over the one who did originally post the ad.

Craigslist provides an open service, and it needs to be prepared to deal with the consequences that such an open service can cause.

Only one person caught on to the fact that an ad telling people to pillage a house was too good to be true. Salisbury’s comment on the topic was: “They honestly thought that because it appeared on the Internet it was true, it boggles the mind.”