CyberInsecure.com

Archive for the ‘Spam’ Category

Websense Security Labs has detected that Google searches on terms related to Labor Day sales return results that lead to rogue antivirus software. Labor Day is one of the biggest holidays observed in the US each year. Retail sales events held during this weekend are some of the most anticipated throughout the country.

When Google is used to search for terms related to Labor Day sales, malicious URLs as high as the first result are returned. Upon clicking an affected search-result link, JavaScript code redirects the user to a Web site advising them that their machine is infected with viruses. It then proceeds to offer free (rogue/fake) AV software. AOL and ASK.com are also affected in a similar way.

Screenshot of Web site hosting rogue AV:

Credit: Websense Security Labs

Miscreants have recently begun peppering Facebook with a variety of new phishing scams with sex, sex, sex and more sex featuring prominently.

One example involves a fake customer dispute application page, since pulled, that appeared to have a valid Facebook URL.

The content was actually hosted by Ripway hosting, a service that’s often used and abused by script kiddies, according to Chris Boyd of IM security firm FaceTime.

Boyd said that no Facebook application was involved in the scam, just a valid Facebook app URL and the Ripway hosted scam page.

“It seems someone set up an application developer account with Facebook, placed a fake ‘customer dispute page’ onto their Ripway hosting, which they were somehow able to post onto their Application page and start directing Facebook users to it,” Boyd added.

Another Facebook phishing threat discovered over the weekend involves messages and a rogue Facebook application. The ’sex sex sex and more sex!!!’ app is sending out notifications that attempt to direct prospective marks to a credential harvesting site.

Ne’er-do-wells have taken steps to disguise the location users are directed towards, explains Rik Ferguson, a security researcher at Trend Micro.

“The hyperlinks in the notification both lead to a malicious website hosted on the fucabook.com domain,” Ferguson explains. “The server at fucabook.com loads up a JavaScript before immediately using HTTP meta refreshtags to pull up the real Facebook website and prompting the victim for their login credentials.”

Harvesting credentials is not entirely new and often not an end in itself. Compromised accounts can be used to send spam or distribute perhaps more pernicious scams. The fact that many people use the same credentials on multiple websites opens up the means for hackers to break into webmail accounts. From there, they can find out what online banking or ecommerce accounts a prospective mark holds, before attempting to break into those accounts.

Credit: The Register

Twitter was knocked offline on Thursday after the site became the victim of a distributed denial of service attack. Users of the micro-blogging service are used to seeing the fail whale, a graphic that appears when service is over capacity, but this time around the site was left completely unreachable from around 1500 on Thursday (UK time) for around 90 minutes.

A terse messages on Twitter’s status blog initially said the site was down before adding “We are defending against a denial-of-service attack, and will update status again shortly”.

Graham Cluley, a security consultant at Sophos, initially said the hallmarks of the outage were not those of a planned downtime.

“Something has clearly gone wrong,” he said. “It could be human error or some other cause. We have nothing to indicate that the outage is caused by a security problem at this point.”

The outage has at least one positive effect. “All those Twitter addicts will be doing something more useful instead,” Cluley quipped.

As Twitter struggled to return to normal Wednesday evening, a trickle of details suggested that the outage that left 30 million users unable to use the micro-blogging service for several hours - at least in part - may have been the result of a spam campaign that targeted a single user who vocally supports the Republic of Georgia.

According to Bill Woodcock, research director at the non-profit Packet Clearing House, the torrent of traffic that brought the site to its knees wasn’t the result of a traditional DDoS, or distributed denial of service attack, but rather people who clicked on a link in spam messages that referenced a well-known blogger called Cyxymu.

As spam goes, the emails looked benign enough. One of them carried the subject “Visit my blog” and contained the words “thanks for looking at my blog” in the body. They contained respective links to Cyxymu’s accounts on Twitter, Facebook, LiveJournal and YouTube, all of which also reported receiving abnormal amounts of traffic on Thursday.

“This was not like a botnet-style DDoS,” Woodcock told The Register. “This was a joejob where people were just clicking on links in email and the people clicking on the links were not malefactors. They were just the sort of idiots that click on links in email without knowing what they are.”

Joejobs are spam messages that are designed not to push Viagra but to induce someone to click on a link in the hopes of harming the site being linked to.

Twitter has so far said little on its blog and status page except that it spent much of the day fighting against a denial of service attack and that as late as 4:45 pm California time, latency problems were still causing some users to receive error pages. Company representatives didn’t respond to emails seeking comment.

The theory was backed by this article from CNET News, which quoted Facebook’s chief security officer saying the attacks targeting multiple websites all contained traffic linking to accounts held by Cyxymu.

“It was a simultaneous attack across a number of properties targeting him to keep his voice from being heard,” Facebook’s Max Kelly told reporter Elinor Mills. “We’re actively investigating the source of the attacks and we hope to be able to find out the individuals involved in the back end and to take action against them if we can.”

Kelly made no reference to spam messages, so it remained unclear if the emails were the only cause of the mass requests to Cyxymu’s profiles or if there were other causes as well.

Cyxymu has long been viewed as an antagonist by some Russian supporters, who take issue with the blogger’s coverage of recent military conflicts in Georgia.

Credit: The Register

The Koobface worm, which previously infected users of Facebook and MySpace, is spreading among users of micro-blogging website Twitter.

The scale of the attack is unclear but serious enough for Twitter to issue a warning on Friday morning, via the service’s status page:

Some users’ PCs have been infected with a variant of the Koobface malware. This malware sends bogus tweets when the user logs into Twitter.

We are currently suspending all accounts that we detect sending such bogus tweets. If we suspend your account, we will send you an email notifying you of the suspension. This email also includes tips for removing the malware from your PC.

Koobface-related activity has been detected on Twitter before, but the latest assault has provoked a more concerted response from the micro-blogging service, including plans to temporarily suspend compromised accounts.

Accounts accessed from compromised PCs inject rogue updates into a Twitter stream, supposedly containing a link to a video but actually pointing towards one of around 20 sites loaded with exploit code that poses as a video codec. Windows users who follow this links and install the “codec” wind up getting infected with Koobface, re-starting the whole infection cycle.

Some messages that point to exploit sites promise “michaeljackson’ testament on youtube” while others refer to “My home video :)”, Sophos reports, adding that users should avoid following malvertised links.

Panda Security reports that attempts to install rogue anti-virus (scareware) packages onto compromised machines are made, strongly suggesting that the attack is financially motivated.

Credit: The Register

Researchers from NetQin Tech. are reporting on a newly discovered mobile malware variant (Transmitter.C) distributed through a modified version of legitimate mobile application. Upon execution, the malware attempts to automatically spread by sending hundreds of SMS messages linking to a web site where a copy of it (sexySpace.sisx) can be found.

NetQuin’s CEO, Dr. Lin Yu provided more insight into the nature of the malware, its financial implications for the infected user, as well as thoughts on the future of mobile malware.

As a foreign variant of previous erotic short message virus (Transmitter.A), this virus camouflages in a normal third party mobile phone software ” Advanced device locks” to inveigle the users to install it. After installation, this virus will be automatically started up and it will automatically access network for about 3 minutes. Later, the virus will send short messages externally at interval of 10 - 15 seconds. As can be observed from the communication record, there are large amount of records of sending short messages, all the numbers to which short messages are sent are strange numbers, but it is completely impossible to find the record of short messages that have been sent in the Sent Box.

After having sent about 500 strange short messages, this virus will traverse the cards folder to send out short messages. Furthermore, this virus can automatically identify mobile phone languages and send different short message contents including “Classic Gongfu stories, City passion, Wife change, School girl, Violent incest… Please immediately access?” A very interesting girl. Try it now!” etc., and attach a URL after each short message.

This virus will run away with user’s tariff by sending out short messages at such high frequency. In addition, it is very likely that this virus forcibly subscribes some services for the users, thus consuming user’s tariff.

Furthermore, this virus has transmissibility. In the form of obscene short messages, it will inveigle the users to click the links in the contents of short messages. Upon clicking such links, a user will download virus to his/her mobile phone, becoming the next virus-spreader. In addition, this virus can also transmitted in the form of legitimate third party software that is put in the Website and Forum for downloading mobile phone software.

As compared with the Symbian malicious software formerly discovered, Transimitter.C has even stronger transmissibility and harmfulness: It not only has the corresponding server end for coordination, but can also be dynamically adapted to the current language of mobile phone and thus send short messages to address lists and strange numbers in different languages Furthermore, utilizing obscene short messages with links, it can inveigle the users to click it for installation. If this virus has been transmitted to mobile phones, it will bring tremendous economic loss and reputation crisis to the users.

This virus can camouflage as legitimate software for transmission. Camouflage mode: The executable body of virus attaches at normal software to inveigle the users to install it. This malicious software is designed to realize the object of making commercial profit. Transimitter.C has promoted some malicious links. Very likely, it forcibly subscribes some services for the users, thus consuming the tariff of users; These malicious links may induce a user to download virus to his/her mobile phone, so that this user will become the next virus-spreader.

Credit: ZDnet.com Security Blogs

Researchers at ESET have reliable intelligence that the Waledac botnet is currently being prepared for a spam campaign around the Independence Day theme. They have registered at least 18 domain names all related to the theme of video, fireworks, and Independence Day. The criminals behind Waledac are preparing to start sending spam with links to supposed videos of Independence Day fireworks which are, in reality, fresh copies of the Waledac malware family.

ESET estimates the size of Waledac’s botnet as tens of thousands of infected computers. More than 20,000 compromised computers will be used to send the malicious emails, in an effort to increase the size of the botnet. This effort will allow the criminals to send out even more spam. Currently, detection of the new variants of Waledac is quite low, with only a handful of antivirus products detecting the newest threat.

The Waledac family has been active since the end of 2008 and has been known to exploit events such as Christmas or Valentine’s day in order to spread in a way very similar to methods used by the infamous Storm Worm. Also, just like the Storm Worm, Waledac uses a peer-to-peer network to receive commands from its controllers. The main objective behind the Waledac operation is to use infected computers to send spam.

Consumers are reminded not to follow links in unsolicited emails, even if they appear to come from someone they know. As dangerous as fireworks can be, when used as directed, they are still safer than unsolicited emails!

Credit: ESET ThreatBlog
Credit: Websense

Miscreants have created a Michael Jackson mass-mailing worm. The malware follows a growing list of other hacking attacks in the wake of the superstar’s death last week and claims to offer secret songs and photos of Jackson in an attached zip file. In reality, the emails (which claim to come from sarah@michaeljackson.com) offer malicious code.

Prospective marks duped into opening the infected attachment on Windows machines get infected while further spreading the worm. The malware is also capable of spreading via USB memory sticks. The mass mailing worm - identified by Symantec as Ackantta-F - spreads in messages that typically bear the subject line “Remembering Michael Jackson.”

Ackantta is far from the only item of malware trying to ride on the coat-tails of Michael Jackson’s death. For example, an executable file posted on counterfeit photo-sharing sites was detected by F-Secure last week. The malware tried to established a backdoor on compromised Windows PCs.

Separately, a domain loaded with exploit code - supposedly touting Jackson death conspiracy theories - is actually just an outlet for an exploit tool, Sunbelt Software warns. The domain, complete with Matrix-like animation, is running “Unique Pack” exploit package version 2. The malicious domain is being promoted via an enthusiastic spamming campaign.

Credit: The Register

Researchers from Computer Associates and Sophos are reporting on three currently active malware campaigns using fake Microsoft patch themes as a social engineering tactic to spread over email.

The first one is spreading as an “Important Windows XP/Vista Security Update” and is offering a bogus Conficker removal tool, the second is using an “Outlook re-configuration” — also spammed earlier this month — and the third one is using an out-of-the-band “Update for Microsoft Outlook / Outlook Express (KB910721)” theme, which in reality is nothing else but a trojan.

The fake Conficker removal tool campaign has been active for over a week now, with Symantec pointing that not only are the authors unable to make the difference between Troj/Brisv.A and Conficker, but also, they misspelled Conficker as ConFlicker in between attaching their malware to Symantec’s original removal tool in an attempt to build more legitimacy into the campaign.

A similar fake “Conficker Infection Alert” spam campaign redirecting to scareware took place in April, however, despite the fact that cybercriminals continue sticking to the cyclical pattern of the “Microsoft security update/patch” social engineering theme, compared to previous campaigns where the timing was perfect, in this latest one it thankfully isn’t.

The second, Outlook re-configuration campaign is serving Outlook_update.exe through several legitimate and logically compromised web sites, next to the purely malicious ones. Interestingly, the third campaign promoting the fake Outlook critical update has directly attached the executable officexp-KB910721-FullFile-ENU.exe to the email, indicating their lack of experience in such campaigns.

Credit: ZDNet.com Security Blogs

Twitter users over the weekend were the target of a scam that tried to infect them with rogue anti-virus software and other malware, in what is one of the first times the micro-blogging site has been hit by a known for-profit attack, a security researcher said.

The problem started after a flurry of tweets directed users to a website promising “Best Video.” The site appeared to offer content from YouTube, but behind the scenes, the site delivered a PDF document designed to infect those using vulnerable versions of Adobe’s Reader program. Victims then received an urgent warning that their systems were infected and needed to cleaned using fraudulent security software. The scam promoted a piece of rogue anti-virus software dubbed “System Security.”

“This attack is very significant,” Kaspersky researcher Roel Schouwenberg says. “It would seem that at least one criminal group is now exploring the distribution of for-profit on Twitter. If the trends we’ve seen on other social platforms are any indicator for Twitter then we can only expect an increase in attacks.”

Twitter representatives said Saturday they had contained the problem after temporarily suspending accounts that had been compromised. No confidential information was intercepted, they added.

The high volume of posts on Twitter that encourage readers to follow obscured links to audio, video, and other content has created a click-first-ask-questions-later culture on the micro-blogging site that’s ideal for drive-by attacks. And yet, this weekend’s attack is one of the few to target Twitter users with exploits that install malware.

That’s not to say Twitter hasn’t been targeted in the past. The vast majority of the attacks, though, have been worms that repeat a phrase or link over and over by tricking users to click on links that automatically leave a post. As more posts are generated, more and more Twitter users are bombarded with the malicious links, giving the attacks the ability to spread virally.

Credit: The Register

Fans of Chelsea, Arsenal and Manchester United are being targeted in a new email scam that attempts to trick recipients into sending premium rate text-messages in the hope of winning non-existent Champions League final ticket prizes.

The ruse promises entry in a draw for a chance of a seat at the Stadio Olimpico on 27 May but promises only to empty fans’ pockets, net security firm BitDefender warns. The Champions League and similarly-themed Uefa Cup scam are aimed at mobile subscribers and began circulating earlier this week, before Liverpool and Manchester City were knocked out of the competitions.

“Under the false appearance of a lottery that offers tickets to the final matches, the text-based spam invite recipients to send text messages with the name of their favorite team to a specific number,” BitDefender analyst Razvan Livintz explains. “Most likely, cybercriminals collect a fee for each SMS, but they do not give any ticket to Sükrü Saracoglu Stadium or Stadio Olimpico in return.”

Credit: The Register