CyberInsecure.com

Archive for the ‘Scams’ Category

According to an annual report from FBI’s Internet Crime Complaint Center (IC3), financial losses resulting from cybercriminal activities have doubled last year compared to 2008. Advanced fee scams abusing FBI’s name was the most reported type of fraud.

The IC3 is a partnership between the FBI, the Bureau of Justice Assistance (BJA) and the National White Collar Crime Center (NW3C). Its purpose is to serve as a bridge between authorities and cybercrime victims by providing the latter with an easy mechanism of submitting complaints about fraudulent activity on the Internet.

According to IC3’s 2009 Annual Report on Internet Crime, almost half of the received complaints mentioned financial losses, which totaled $559.7 million. This is a more than one hundred percent increase over 2008, when reported losses accounted for $264.6 million.

The number of complaints also increased by 22% in 2009 to 336,655, out of which 146,663 were forwarded to authorities. The average dollar loss was $575, but males lost considerably more than females. According to the statistics, for every dollar lost by a female, a male lost $1.51.

The most popular type of fraud registered across 16.6% of complaints consisted of email scams misusing FBI’s name. Meanwhile, 11.9% of complaints reported cases of non-delivered merchandise or payment. Advance fee fraud (9.8%), identity theft and overpayment fraud complete the list of top five complaint types submitted to IC3 in 2009.

As far as perpetrators go, only 38% of complaints specified their residence and 35.1% their gender. Even so, the statistics show that over three quarters of the perpetrators were male. Furthermore, the District of Columbia was the most active cybercrime hub, with a number of 116 perpetrators for every 100,000 inhabitants. It was followed by Nevada, with 106, Washington, with 81, Montana, with 68 and Utah, with 60.

“Although this report can provide a snapshot of the prevalence and impact of cybercrime, it is worth noting that knowledge of the ‘typical’ victim or perpetrator of these types of crimes does not imply that atypical Internet users are safe, or that atypical individuals do not commit Internet crimes. Anyone who uses the Internet is susceptible,” the center advises.

Credit: Softpedia.com News

A bogus application that lures Facebook users by falsely offering to show who has been viewing their profile has been exposed as a scam.

Rik Ferguson, a senior security consultant at Trend Micro, warns he has already identified 25 different copies of the same rogue app but using different monikers such as peeppeep-pro, profile-check-online and stalk-my-profile.

All of the rogue apps are spread by updates seeking to lure the friends of previous victims to give the stalkerware a try. Some even offer a photo montage of a victim’s contacts in a bid to add more authenticity. However, none of the apps actually do anything except profit their creators via ad affiliate revenues and deceptive tactics.

“The app itself is designed to look convincing enough, but none of the many ‘Continue’ buttons it offers will activate some under-the-counter profile checking functionality - they will just push you into another Facebook app earning the scammer advertising revenue in the process,” Ferguson explains. “There is no officially sanctioned Facebook functionality that will allow you to view who has been checking your profile.”

Facebook recently removed the ability for applications to send notifications directly. The unknown creators of stalk-my-profile have built in functionality designed to get around that limitation while still attracting the attention of would-be marks.

Security staff at Facebook acted promptly on Sunday to remove the rogue apps. That’s all well and good, but Ferguson argues that only the introduction of an app-vetting scheme - something he first suggested over a year ago - stands any chance of bringing under control the growing problem of misuse of the social network by rogue application developers.

A similar scam again involving a supposed answer to the question “Who is checking your profile?” was squashed by Facebook in late February, Websense reported at the time. The reappearance of much the same scam just two weeks later underlines Ferguson’s contention that simply playing whack-a-mole with rogue apps is a waste of resources that unnecessarily endangers Facebook users.

Another run of rogue apps, detected by Ferguson at the end of February, attempted to fool victims into clicking the spam notifications it sent out, earning dodgy developers affiliate-based ad revenues in the process. The app adopted the name “Like” and borrowed the icon from the official Facebook “Likes” function, but was in reality nothing more than cheap crud whose only function was to direct users towards a website offering an application called Zwinky.

Credit: The Register

The perpetrators of a ticket fraud operation that made use of a botnet to subvert protection mechanisms enforced by ticket vendors were indicted earlier this week. The dedicated network of computers spread across the U.S. ran software that impersonated legit buyers and solved CAPTCHA tests.

It’s a well known fact that in order to ensure a fair distribution of tickets to the public, online ticket vendors enforced restrictions such as limiting the number of seats a single individual could obtain. In addition, to make sure that only real humans are able to acquire tickets, the order forms are usually accompanied by CAPTCHA challenges.

The indictment filed in Newark, New Jersey, names Kenneth Lowson, Kristofer Kirsch, Joel Stevenson and Faisal Nahdi as defendants. They operated through several companies and are collectively referred to as the “Wiseguys,” after Wiseguys Tickets, Inc., the first and primary firm they controlled.

The operation, which lasted from late 2002 until January 2009, involved fraudulently purchasing thousands of tickets for various events across the United States, and selling them to ticket brokers at higher prices. Investigators estimate that the Wiseguys racked up profits of almost $29 million by re-selling 1.5 million tickets.

In order to pull off the scheme, the gang employed programmers in the United States and Bulgaria, who coded and constantly adapted the software used to acquire the tickets. The program was so good that it solved CAPTCHAs far quicker than humans and was able to snatch up the best seats at high-profile events as soon as tickets went on sale.

But according to prosecutors, the defendants did not only stop at damaging online ticket vendors’ ability to ensure a fair distribution of tickets. Instead, they went as far as setting up a competing company to distribute tickets on behalf of artists or venues and giving assurances that it was capable of doing what the other vendors were failing to do.

“This affair is a perfect example of a targeted attack (here against the online ticket vendors) using malware that is not widespread. The affair demonstrates how important it is for administrators to keep watch over their networks and watch for even the slightest anomalies,” notes Francois Paget, threat researcher at McAfee.

Credit: Softpedia.com News

The name of the popular file analysis service VirusTotal is being abused by cyber-crooks to infect users with scareware. A recent forum spam campaign tries to trick people into visiting a malicious website hosted at virus-total.in.

VirusTotal.com has been well known as free virus and malware online scan service which allows submitters to test a particular file against a multitude of malware scanners. So, it’s not highly surprising that malware authors would try to use that name to further their gain.

Security researchers from Sophos reported a spam run promoting the rogue virus-total domain, as a private message on a forum. The message employs scare tactics in order to frighten users into visiting the scareware-pushing website.

The message looks like this:

Subject: Warning!

DO NOT REPLY TO THIS EMAIL!
***************************

Dear [Redacted forum user name],

You have received a new private message at [Redacted] Forum from [Redacted], entitled “Warning!”.

To read the original version, respond to, or delete this message, you must log in here:
http://[Redacted]

This is the message that was sent:
***************
Dear, [Redacted forum user names]

There are viruses’ activities from your computer! Highly recommend you to scan your computer for malicious and potentially unwanted software. If you do not follow this, I will have to make a complaint to your Internet Service Provider with attached log file (your IP address, etc.). If you want to find a report about your computer’s security and solve every problem with it, please click here: http://www.virus-total.[TLD removed]/detected/[Redacted] This is an online service that you can use for free spyware removal. Use it to scan your computer to help protect, clean, and keep your computer running at its best. Use the free scan to check for and remove viruses, spyware, and other potentially malicious software and to find vulnerabilities or shortcomings in your Internet security.

Thank you. Yours truly, [Redacted].
***************

This attack clearly targets VirusTotal.com, a popular free service which allows users to scan suspicious files with over 40 antivirus engines and other tools. Julio Canto, VirusTotal’s project manager, issued an alert about the rogue virus-total.in website via Twitter.

The site displays bogus security warnings and fake antivirus scans to unsuspecting visitors, tricking them into installing a scareware program called SecurityTool. Rogue security programs such as these are commonly used by cyber-criminals to charge money for useless licenses and steal credit card details.

The above popup would follow by the loading of a fake scanning page inside the browser:

One of the interesting parts of this fake page is that the “Windows Security Alert” pop-up is actually a time-delayed object inside the page. Even though the box looks like a window box from Windows XP, it is not moveable at all.

When the fake scanning completes, another pop-up will be generated asking the user to download a file called security_tool_setup.exe. Needless to say, this file is malicious and is yet another one of the Fake Antiviruses.  This executable has already been proactively detected by Sophos as Mal/FakeVirPk-A.

“An unfortunate side effect of a scam like this is that the real VirusTotal could start to receive emails from irate victims of the fake site claiming they’ve ‘infected my PC’ – fingers crossed it doesn’t get to that stage. Remember: the REAL domain for VirusTotal is Virustotal.com. Don’t fall for this scam!” Sunbelt’s Chris Boyd advises.

Another unusual aspect of this attack is the threat of filing a complaint with a user’s ISP about the virus activity alleged in the spam message. This statement comes at a time when ISPs have announced initiatives to identify compromised computers on their networks and take proactive measures to clean them.

Credit: Softpedia.com News, SophosLabs Blog

After taking a long hiatus, trojan dialers that can rack up thousands of dollars in charges are back by popular demand.

According to researchers at CA Security’s malware analysis lab, a new wave of malicious dialers is hitting users of mobile phones. The trojans are built on the Java 2 Micro Edition programming language and cause infected handsets to send SMS messages to high-cost numbers, at great expense to the victim.

“As soon as the application is loaded, this malicious software starts to send premium text messages,” CA warned on Tuesday. “The messages sent out are in the typical format to invoke premium services and land the mobile user with heavy mobile bills without the user’s knowledge and consent.”

Malware that automatically dials pricey premium numbers was all the rage a decade ago, when dial-up internet services required computers to connect to a phone line. With the growth of broadband connections the frequency of dialers waned.

When malware application, which is a JAD file, is loaded on the mobile device, a typical user interface screen is displayed:

The JAD application however is packaged with a data file (load.bin) that has a list of high-cost destination numbers. The malicious application uses this bin file to form the text messages with the desired premium destination. As soon as the application is loaded, this malicious software starts to send premium text messages.

The explosion of smart phone that can run software made by anyone has given malicious dialers a new lease on life. And as was the case in the days of yore, they mostly tap into porn services.

Credit: The Register, CA Security

Cybercrime affiliates of unlicensed pharmaceutical websites have begun moving on from attacks purely designed to poison Google search engine results, and are now targetting Microsoft’s web properties.

Search engine poisoners are actively making use of Microsoft’s Windows Live Spaces blog hosting environment, net security firm eSoft reports. Miscreants are creating accounts which they use only to push links to the pharma-fraud sites. As a result the search engine ranking of these spamvertised sites is pushed up.

In addition, spam emails contain the URLs of fake blogs, from which surfers are redirected onto penis pill sites. The tactic is designed to evade spam filters that might already have blacklisted the fraudulent website.

The misuse of fake blogs on Live Spaces is a refinement of the well established practice of link spamming: posting “comments” on legitimate blogs that supply links to dodgy pharmaceutical websites and the like.

Attacks similar to the Live.com blogspamming for fraudulent pharmacy sites have also recently been thrown against both Yahoo and Blogger sites, eSoft adds. The security firm adds that the recent Google job spam scam also infiltrated Microsoft’s Life Space environment.

Whatever the distribution method, its clear these cybercriminals will continue to evolve new ways of advertising their bogus sites. An alert by eSoft containing screen shots of the fake pharma punting blogs that have begun affecting Live Spaces can be found here.

Credit: The Register, Threat Center Live Blog

Cybercrooks have begun punting World Cup ticket and HD TV viewing scams as a successor to earlier lottery-based cons.

The revision of earlier fraud follows the final draw for the 2010 World Cup last Friday. Now, in addition to the opportunity to “claim cash prizes” in a draw by South African Football Association they have never entered, prospective marks are also getting offers to “watch live games online”.

Victims of this particular scam pay to download a HD video player, which will supposedly come into its own next year, but actually receive only a rogue security (AKA scareware) product, net security firm McAfee warns. In addition, fake club offers, which promise desperate fans a chance to win match day tickets but are solely geared towards collecting subscriptions, have also begun springing up.

A blog post by McAfee illustrates these varied threats.

Football fans looking to buy tickets are advised to book through fifa.com, or obtain packages via local football association or reputable travel agents. Unsolicited online offers are almost inevitably going to be fake, while offers through auction sites are also fraught with risk.

Credit: The Register

UK police have completed a massive take-down operation, after targeting scam websites selling fake designer goods. More than 1,200 counterfeit-slinging UK-registered websites were grounded as part of Operation Papworth - an operation led by the Metropolitan Police’s Central e-Crime Unit (PCeU) - which targeted scam websites in the run-up to Christmas.

The sites claimed to offer designer goods - including Ugg Australia Boots, ghd hair straighteners, and jewellery from Tiffany - at discount prices, while actually offering only poor quality counterfeit kit, at best.

Innocent shoppers using the websites were also handing over payment card details that might later be used for credit card fraud. Police reckon many would-be bargain hunters received no goods for their payments.

Consumer Direct, Trading Standards, the Office of Fair Trading and manufacturers helped to identify the fraudulent web sites. Intelligence showed that the vast majority of the sites were registered from Asia, despite their UK domain names. Many were registered using false or misleading details.

The fake registration ploy made it almost impossible for victims to complain, while acting as an obstacle for action by Trading Standards or law enforcement agencies.

The PCeU worked in partnership with UK domain name registrar Nominet to take down fraudulent websites and prevent their re-registration.

The newly-established cybercop squad are working with Nominet and other top domain name registrars to prevent the future fraudulent site registrations. The Office of Fair Trading has also been brought on board to monitor and clamp down on similar scams in future.

Punters who purchased goods from one of the fraudulent sites are advised to contact Consumer Direct for advice.

Credit: The Register

CA research blog recently published a list of threats to remind everyone about online safety this holiday season. Here are the top ten according to their list:

No. 1 - Avoid ‘Click-happy’ Accidents

Don’t be ‘Click-happy’ person, be cautious before clicking and following links.

No. 2 - Evil Greeting Cards

Watch your incoming emails! In the past we’ve seen Waledac malicious greeting cards such as “e-Cards”, “You’ve received a Greeting Card…” and recent ones are getting more personalized subjects like “Hello Darling”.

No. 3 - Phishing Tricks

Be aware of Phishers! Phishing email commonly targets PayPal, eBay and Amazon users although bank notification emails and credit card frauds are also on the top schemes of these financially motivated attackers.

No. 4 - Surfing Disaster

Surf the internet safely, make sure your online security protection is turned on(firewall, HIPS and anti-malware). Cyber threats uses blackhat search engine optimization to direct traffic to malicious websites.

Another surfing disaster is when you visit a legitimate website that is infected with Drive-by download.

No. 5 - Holiday Scammers

If it sounds too good to be true, then think again.

This scams may arrive in very powerful convincing strategy either by offering you a job, big discounts or winning from a lottery. In most cases, it provides instructions on how to claim the offer which often require users an initial sum of money or personal information like credit card details.

No. 6 - Charity Fraud

Are you in the mood of helping and giving this season?

Donate but make sure you know and understand the cause of your selected Charity organization. Avoid engaging into hasty decision by just following a good looking email or visiting unfamiliar website. Spend time to research and don’t hesitate to ask!

No. 7 - Deceptive Shopping Deals

In a gloomy economy, many of us try to maximize by finding the best deal for our money. Internet has been a great source of information and this includes discount coupons, gift cards and freebies. Scammers will often mislead users and often require money such as from joining/membership fee, selling items or getting credit card information.

For online shopper, please be aware of dubious “price-comparison” websites as well.

No. 8 - Dangerous Downloads & Installs

Spammed malware uses social engineering technique such as the “Delivery Problem”. This email message pretends to be coming from legitimate companies such as UPS, DHL and FedEx. The convincing looks and content often leads to manual download and installation of malicious program.

Another source of dangerous download and installs is when looking for pirated softwares.

No. 9 - Identity Theft

Holiday hackers, password stealers and banking trojans may take advantage of the festive season.

Social networking site is another notable target this season. This communities are source of communication and exchange where people get in-touch with friends and families by sending greetings, updates and showing photos and videos. Threats such as Koobface may take advantage of “happy mood” by deploying customized theme to increases its chances of infection.

No. 10 – Enable Security Protections

Be cautious about your online activity, enable online projection, update your security software and save energy by turning off your computer when not in-use (this also avoid inside and outsider threat sneak into your files).

Credit: CA Community Blogs, Methusela Cebrian Ferrer

Miscreants have developed a ransomware package that blocks internet access in a bid to force infected users into paying up by sending a text message to a premium rate SMS number, lining the pocket of cybercrooks in the process.

The malware comes bundled in a package called uFast Download Manager and targets potential marks in Russia. Users of infected machines are told (via a Russian language message) that they need to send a text message in order to obtain an activation code for the product, which (ironically) poses as a software package designed to increase download speeds. Victims are told that internet access has been blocked in the meantime because of supposed violations of a licensing agreement.

The ploy is a variant on previous ransomware packages that encrypt and block access to document files. One strain of ransomware detected in January 2008 locks up Windows machines, seeking payment via SMS. That threat wasn’t specific to Russia and didn’t affect a net connection as such but is otherwise very similar to the latest attack.

CA, which detects the threat as RansomSMS-AH, explains how the malware works in greater depth in a blog posting featuring screenshots culled from infected machines.

English translation:

Internet access is blocked due to violation of the
license agreement schedules of uFast Download Manager
You must activate your copy

Get a registration code by sending an SMS with the following
code fw0004199 to number 7122

In response you will receive an activation message.

Enter the activation message received from the SMS response ________

The anti-virus vendor has developed an activation code generator that allows victims to get online again - providing they can download the utility through an uninfected machine first, of course.

CA ISBU activation code generator for this particular ransomware can be found here. It can create activation code only for ransomware detected by CA as Win32/RansomSMS.AH.

Credit: The Register, CA Community Blogs