CyberInsecure.com

Archive for the ‘Spam’ Category

Another round of fake “authority” email has been launched, this time it is a bogus Internet Explorer 7 (IE7) update spam. Here is a current version of the email (it will probably change a bit soon):

From: admin@microsoft.com

Subject: Internet Explorer 7

Message: You are receiving this e-mail because you subscribed to MSN Featured Offers. Microsoft respects your privacy. If you do not wish to receive this MSN Featured Offers e-mail, please click the “Unsubscribe” link below. This will not unsubscribe you from e-mail communications from third-party advertisers that may appear in MSN Feature Offers. This shall not constitute an offer by MSN. MSN shall not be responsible or liable for the advertisers’ content nor any of the goods or service advertised. Prices and item availability subject to change without notice.

File name in attachment: update.exe

Obviously, Microsoft will not be responsible as its not an update and its not from them. The responsible one, as usual, is the user who clicks links in emails from unknown senders or without verifying the authenticity. If you run any anti-virus product, you are most likely protected, since according to VirusTotal, 33 out of 36 anti-virus vendors detect this malware.

Known social engineering tactic involving Adobe Flash Player is exploited in currently active malware campaign. Spammed user is encouraged to click on a site with a fake news item in order to install a fake Flash player update (file names might be flashupdate.exe, get_flash_update.exe, watchmovie.mpg.exe). If user clicks “Cancel” in the dialog that prompts for an update, another pop-up appears, that tells the victim that they have to download it to view the video. Clicking “Cancel” there returns the user to the first dialog. It puts the user in perpetual loop, so the only options are to kill the browser session or install the malware. Last night this campaign sent over 80 million messages for the past 24 hours, with 5 million sent on an hourly basis, according to MX Logic.

This campaign is using Fake CNN News Update spam, with subjects like “CNN.com Daily Top 10″. This new CNN tactic is likely to be more successful than the single-line spam tactic that we had been seeing over the past several weeks as this message looks like it could be an news update email sent by CNN. This new message also attempts to trick the user into believing that they signed up to receive it because of their email preference settings at the CNN web site. If you see this message come into your inbox, delete it immediately.

Thousands of legitimate hacked websites and purposely registered for abuse domains are currently participating, with the malware authors continuing to use retro client-side exploits like those detected by ThreatFire’s assessment at the end of July. Users susceptible to any of these news topics might not even get the chance to deny the download attempt of the infected binary. Exploits involved in these attacks include:

Old MS06-014 MDAC Vulnerability

New Microsoft Office Snapshot Viewer ActiveX control vulnerability

One year old Online Media Technologies NCTsoft NCTAudioFile2 ActiveX buffer overflow

One year old stack overflow in GomManager

Recent RealPlayer.Console heap vulnerability

Two years old WebViewFolderIcon.setSlice integer overflow vulnerability

Rogue media codecs started getting replaced by fake Windows Media Players and other legitimate players, since today’s fake applets impersonating legitimate software. Instead of trying to build trust into an unknown brand, criminals are impersonating and abusing known brands and their software, which increases the probability of someone clicking on it.

This abuse is serious enough to make Adobe issue a Security Bulletin that is warning of malware spreading via a fraudulent Flash Player installer. Adobe warns that worms are making fraudulent posts on social networking sites. These posts include links that lead to fake sites, just like the email spammed ones, that prompt users to update their versions of Flash Player. If users attempt to use the installer to make the update, malware may be downloaded and installed onto their systems.

Update (August 13): Another round of malware spam has been launched, this time featuring MSNBC instead of CNN:

Subject: MSNBC Breaking News

Title: msnbc.com - BREAKING NEWS: <some bogus news here>

If you see this message in your inbox, delete it immediately.

New Storm worm (aka Dorf) campaign has been launched in order to infect Windows running PCs. The latest campaign is centered around messages related to the Federal Bureau of Investigation and Facebook.

Starting a week ago, the authors have renewed their attacks and published 3 campaigns within the last 8 days. As usual, this most recent Trojan is spread via an unsolicited email message spam that contains a link to a malicious website. This website contains a link, that when clicked, may run the executable file “fbi_facebook.exe” to infect the user’s system with malicious code.

The email subjects for the latest campaign currently include:

F.B.I. may strike Facebook
F.B.I. watching us
The FBI’s plan to “profile” Facebook
The FBI has a new way of tracking Facebook
F.B.I. are spying on your Facebook profiles
F.B.I. busts alleged Facebook
Get Facebook’s F.B.I. Files
Facebook’s F.B.I. ties
F.B.I. watching you

This latest campaign employs both domains and the IP addresses as links. The malware and spam messages changed very little even though the topics and websites were updated regularly.

Users should install anti-virus software, keep its virus signature files up-to-date and never follow unsolicited web links received in email messages.

Several airlines have warned customers that bogus e-mails posing as ticket invoices contain malware and urged them to immediately delete the messages. Airlines that issued warnings include Delta Air Lines Inc., Northwest Airlines Corp., Sun Country Airlines and Midwest Airlines Inc. Sun Country also reported these e-mails to Yahoo, Hotmail and the United States Computer Emergency Readiness Team.

A researcher at McAfee Inc. confirmed the campaign in a post to the company’s blog. Messages may appear as follows (updated spam campaigns may appear different):

From: [name] [airline_name] Airlines
Subject: Your order from {airlines} [number]
or
Subject: Online order for flight ticket [number]
Body:

Hello,
Thank you for using our new service “Buy airplane ticket Online” on our website.
Your account has been created:

Your login: [characters]
Your password: [characters]

Your credit card has been charged for $[number in the $400 range]
We would like to remind you that whenever you order tickets on our website you get a discount of 10%!
Attached to this message is the purchase Invoice and the flight ticket.
To use your ticket, simply print it on a color printed, and you are set to take off for the journey!

Kind regards,
[name]
[airline]

Attachment: E-ticket_[number].zip (containing an executable, which may have a Word document icon).

The e-mails, which purport to be from an airline, thank the recipient for using a new “Buy flight ticket Online” service on the airline’s site, provide a log-in username and password, and say the person’s credit card has been charged an amount usually in the $400 range. An attachment claims to be the invoice for the ticket and credit card charge.

However, the .zip file format attachment is a Trojan horse that steals information, including keystrokes, from the infected Windows PC and transmits that data to a server hosted in Russia. McAfee has labled the malware as “Spy-Agent.bw,” Symantec Corp. has labeled the same Trojan horse as “Infostealer.Monstres.”

This trojan first made a name for itself almost a year ago, when it was used to rip off more than 1.6 million customer records from Monster Worldwide Inc., the company that operates the popular Monster.com recruiting Web site.

After recent malware emails disguised as UPS and tax messages, there is a new attack circulating via bogus email messages and claims to be from “US Customs Service.” The messages may contain the following subject lines:

Customs - We have received a parcel for you

Customs, please read

Parcel requires declaration

Your parcel is at the customs office

The message indicates that a parcel has been received addressed to the recipient of the email. These messages may also encourage users to open an attachment to the message that may contain malicious code.

The messages start with a greeting, and then says:

We have received a parcel for you, sent from France on July 9. Please fill out the customs declaration attached to this message and send it to us by mail or fax. The address and the fax number are at the bottom of the declaration form.

The attachment currently called Bill_Tax.zip, and the Trojan inside is a variation of what we’ve seen previously, detected by Sophos as Mal/Spy-A.

Users should not open attachments contained in unsolicited email messages and use anti-virus software with updated virus signature files.

Security researcher Aviv Raff has discovered a pair of basic design flaws that could allow malicious phishing and spamming attacks on your iPhone. According to an advisory from Raff, the iPhone’s Mail and Safari applications are susceptible to a URL Spoofing vulnerability which allow attackers to conduct phishing attacks. iPhone Mail and Safari on firmware 1.1.4 and 2.0 are affected by this vulnerability. Earlier versions might also be affected.

By creating a specially crafted URL, and sending it via an email, an attacker can convince the user that the spoofed URL, showed in the mail application, is from a trusted domain (e.g. Bank, PayPal, Social Networks, etc.). When clicking on the URL, the Safari browser will be opened. The spoofed URL, showed in the address bar of the Safari browser, will still be viewed by the victim as if it is of a trusted domain.

According to Raff, Apple have acknowledged the vulnerability in the Mail application, and are still investigating the issue in the Safari for iPhone. Apple has also acknowledged that iPhone’s Mail application is “spammable” and that this as a security issue.

Until a fix is available, users should avoid clicking on links in the Mail application which refers to trusted web sites. Instead, a user should enter the URL of the website manually in the Safari application. iPhone users should consider stop using the Mail application until Apple fixes this issue, unless they don’t mind to be spammed.

Those security flaws might already be exploited in-the-wild. Proof-of-concept code for both vulnerabilities has reported to be available.

Roaring Penguin Software Inc. analysis shows that spam coming from top free email providers (Gmail, Yahoo Mail and Hotmail) is increasing. Three weeks of spam data research between June 13 to July 3, 2008, reveal that spammers are abusing Gmail’s privacy preserving feature of not including the sender’s original IP in outgoing emails.

Spammers are increasingly using free e-mail providers to avoid IP address-based reputation systems. These systems track mail sent by various IP addresses and assign each IP address a rating. Some anti-spam software operates largely or exclusively on the basis of the IP address rating.

Roaring Penguin’s data shows that between June 13 and July 3, the percentage of US-originated spam originating from the top 3 free e-mail providers rose from about 2% to almost 4%. Roaring Penguin believes that spammers are using Google’s service in particular to send spam, relying on the fact that blacklisting Google’s servers is impractical for most organizations. According to their data, the probability that an e-mail originating from a Google server is spam rose from 6.8% on June 13 to 27% (!) on July 3.

Spammers and phishers are interested in clean IP reputation of free email providers and in the ability to freely create multiple bogus accounts that are being automatically registered by breaking the CAPTCHA based authentication. A CAPTCHA is a test designed to tell humans apart from computers (spam bots). It typically involves typing a word seen in an image or heard on an audio recording. All this allows them to reach the widest possible audience and ensure the successful receipt of their spam/scam.

David Skoll, CTO of Roaring Penguin Software, said: “The effectiveness of IP address-based reputation systems has increased the market value of a good IP address, making spam gangs concentrate their development efforts on breaking CAPTCHAs to create free e-mail addresses from which to spam. We predict a gradual but long-term decline in the effectiveness of IP address reputation systems.”

Websense Security Labs ThreatSeeker Network has discovered a substantial number of spam messages utilizing a social engineering tactic that lures users to download malicious software.

Spammers quickly react to the latest major online news updates, capitalizing on these events to achieve better success rates with their social engineering tactics. The recent media coverage discussing Osama Bin Laden seem to have prompted spammers to quickly recycle an old spam campaign.

The messages include a link to a compromised site which contains an obfuscated JavaScript that tries to exploit a rather old vulnerability corresponding to Microsoft Data Access Component (MDAC). Regardless of whether the exploit succeeds or fails, the visitor is then redirected to a page showing a fake security warning encouraging users to download anti-spyware tools to repair their system. Spammers usually use this tactic to encourage users to install rogue applications. In this particular example, the malicious file installs itself as a service on the system.

The same malicious executable is used throughout different spam campaigns bearing following email subjects lines:

Jennifer Aniston Interesting mp3!!!
Clara Morgane Shocking photo!!!
Kylie Minogue Interesting video without cowards!!!
Demi Moore New sexy songs!!!
Avril Lavigne Shocking porno dvd!!!
Nicole Richie Kick-up cd!!!
Beyonce Shocking sexy songs!!!
Keira Knightley Gallery photo!!!
Britney Spears Interesting cd!!!

The group behind the Storm Botnet has always been conscious of timing and this time a new malware spam wave had started, dedicated to Independence day of course. This spam wave directs the user to click on a link that encourages the intended victim to download an infected fireworks.exe file.

The Storm botnet launched the latest campaign in June 3rd. Here’s a partial list of subject lines seen in the latest spam messages:

Amazing Independence Day salute
Amazing firework 2008
America for You and Me
America the Beautiful
Celebrate Independence
Celebrate with Pride
Celebrating Fourth of July
Celebrations have already begun
Fabulous Independence Day firework
God bless America
Happy Fourth of July
Happy Independence Day
Independence Day firework broke all records
Light up the sky
Proud to be an American
Sparkling Celebration of Independence Day
Spectacular fireworks show
Stars and Strips forever
Super 4th!
The best firework you’ve ever seen
The best of 4th of July Salute
Well done 4th!

The body of the messages is similar to previous campaigns, with a one line phrase followed by an IP address, such as:

Amazing Independence Day salute http://123.456.789.000/
Amazing Independence Day show http://123.456.789.000/
Bright and joyful Fourth of July http://123.456.789.000/
Celebrate the spirit of America http://123.456.789.000/
Celebrating Fourth of July http://123.456.789.000/
Celebrations have already begun http://123.456.789.000/
Light up the sky http://123.456.789.000/
Proud to be an American http://123.456.789.000/
Stars and Strips forever http://123.456.789.000/
The best firework you’ve ever seen http://123.456.789.000/
Well done 4th! http://123.456.789.000/

Visiting the IP address would bring up a page with a fake online video player and a picture of fireworks inside the player. The following text is included below the image:

Colorful Independence Day events have already started throughout the country. The largest firework happens on the last weekday before the Fourth of July. Unprecedented sum of money was spent on this fabulous show. If you want to see the best Independence Day firework just click on the video and run it.

Users attempting to watch the fireworks video will instead be infected by malicious code.

The “video” links to an executable called fireworks.exe. In addition, the site also launches an invisible iframe with obfuscated malicious javascript ind.php.

A spam campaign that sends personalized phishing emails through Yahoo! Groups has recently been reported by TrendLabs researchers, Jake Soriano and Grace Ermitanyo (who provided detailed analysis about this attack). Phishers appear to have sent phishing emails through Yahoo! Groups via either the standard posting methods through Yahoo! Groups site’s Post Message feature or through sending an email to the group’s @yahoogroups.com address. Thus, users who receive this email from a Yahoo! Group (of which they are members) are likely to believe that it is legitimate.

The success of this phishing attempt further depends on how the group mailing list is actually moderated. There are settings in Yahoo! Groups spam abuse prevention that allow the moderator to approve all messages before they are sent out to members.

The phishing email provides a link that redirects the recipient to a website with a fake form. The form steals user identities by gathering personal and sensitive user information, such as phone numbers, PINs, passwords, account numbers and debit card numbers. These details are sent over to the phishers who may then peruse the information themselves or sell them in underground forums to cyber criminals.

In one particular case, clients of the Royal Bank of Scotland (rbs.co.uk) are targeted. In phishing email the URL is different from the actual bank domain and redirects to rtsrv.co.uk.

Moderators of Yahoo! Groups are advised to read about their options related to keeping their members safe from spam and phishing attempts at the Yahoo! Groups FAQ on spam abuse prevention.