CyberInsecure.com

Archive for the ‘Spam’ Category

New Storm worm (aka Dorf) campaign has been launched in order to infect Windows running PCs. The latest campaign is centered around messages related to the Federal Bureau of Investigation and Facebook.

Starting a week ago, the authors have renewed their attacks and published 3 campaigns within the last 8 days. As usual, this most recent Trojan is spread via an unsolicited email message spam that contains a link to a malicious website. This website contains a link, that when clicked, may run the executable file “fbi_facebook.exe” to infect the user’s system with malicious code.

The email subjects for the latest campaign currently include:

F.B.I. may strike Facebook
F.B.I. watching us
The FBI’s plan to “profile” Facebook
The FBI has a new way of tracking Facebook
F.B.I. are spying on your Facebook profiles
F.B.I. busts alleged Facebook
Get Facebook’s F.B.I. Files
Facebook’s F.B.I. ties
F.B.I. watching you

This latest campaign employs both domains and the IP addresses as links. The malware and spam messages changed very little even though the topics and websites were updated regularly.

Users should install anti-virus software, keep its virus signature files up-to-date and never follow unsolicited web links received in email messages.

Several airlines have warned customers that bogus e-mails posing as ticket invoices contain malware and urged them to immediately delete the messages. Airlines that issued warnings include Delta Air Lines Inc., Northwest Airlines Corp., Sun Country Airlines and Midwest Airlines Inc. Sun Country also reported these e-mails to Yahoo, Hotmail and the United States Computer Emergency Readiness Team.

A researcher at McAfee Inc. confirmed the campaign in a post to the company’s blog. Messages may appear as follows (updated spam campaigns may appear different):

From: [name] [airline_name] Airlines
Subject: Your order from {airlines} [number]
or
Subject: Online order for flight ticket [number]
Body:

Hello,
Thank you for using our new service “Buy airplane ticket Online” on our website.
Your account has been created:

Your login: [characters]
Your password: [characters]

Your credit card has been charged for $[number in the $400 range]
We would like to remind you that whenever you order tickets on our website you get a discount of 10%!
Attached to this message is the purchase Invoice and the flight ticket.
To use your ticket, simply print it on a color printed, and you are set to take off for the journey!

Kind regards,
[name]
[airline]

Attachment: E-ticket_[number].zip (containing an executable, which may have a Word document icon).

The e-mails, which purport to be from an airline, thank the recipient for using a new “Buy flight ticket Online” service on the airline’s site, provide a log-in username and password, and say the person’s credit card has been charged an amount usually in the $400 range. An attachment claims to be the invoice for the ticket and credit card charge.

However, the .zip file format attachment is a Trojan horse that steals information, including keystrokes, from the infected Windows PC and transmits that data to a server hosted in Russia. McAfee has labled the malware as “Spy-Agent.bw,” Symantec Corp. has labeled the same Trojan horse as “Infostealer.Monstres.”

This trojan first made a name for itself almost a year ago, when it was used to rip off more than 1.6 million customer records from Monster Worldwide Inc., the company that operates the popular Monster.com recruiting Web site.

After recent malware emails disguised as UPS and tax messages, there is a new attack circulating via bogus email messages and claims to be from “US Customs Service.” The messages may contain the following subject lines:

Customs - We have received a parcel for you

Customs, please read

Parcel requires declaration

Your parcel is at the customs office

The message indicates that a parcel has been received addressed to the recipient of the email. These messages may also encourage users to open an attachment to the message that may contain malicious code.

The messages start with a greeting, and then says:

We have received a parcel for you, sent from France on July 9. Please fill out the customs declaration attached to this message and send it to us by mail or fax. The address and the fax number are at the bottom of the declaration form.

The attachment currently called Bill_Tax.zip, and the Trojan inside is a variation of what we’ve seen previously, detected by Sophos as Mal/Spy-A.

Users should not open attachments contained in unsolicited email messages and use anti-virus software with updated virus signature files.

Security researcher Aviv Raff has discovered a pair of basic design flaws that could allow malicious phishing and spamming attacks on your iPhone. According to an advisory from Raff, the iPhone’s Mail and Safari applications are susceptible to a URL Spoofing vulnerability which allow attackers to conduct phishing attacks. iPhone Mail and Safari on firmware 1.1.4 and 2.0 are affected by this vulnerability. Earlier versions might also be affected.

By creating a specially crafted URL, and sending it via an email, an attacker can convince the user that the spoofed URL, showed in the mail application, is from a trusted domain (e.g. Bank, PayPal, Social Networks, etc.). When clicking on the URL, the Safari browser will be opened. The spoofed URL, showed in the address bar of the Safari browser, will still be viewed by the victim as if it is of a trusted domain.

According to Raff, Apple have acknowledged the vulnerability in the Mail application, and are still investigating the issue in the Safari for iPhone. Apple has also acknowledged that iPhone’s Mail application is “spammable” and that this as a security issue.

Until a fix is available, users should avoid clicking on links in the Mail application which refers to trusted web sites. Instead, a user should enter the URL of the website manually in the Safari application. iPhone users should consider stop using the Mail application until Apple fixes this issue, unless they don’t mind to be spammed.

Those security flaws might already be exploited in-the-wild. Proof-of-concept code for both vulnerabilities has reported to be available.

Roaring Penguin Software Inc. analysis shows that spam coming from top free email providers (Gmail, Yahoo Mail and Hotmail) is increasing. Three weeks of spam data research between June 13 to July 3, 2008, reveal that spammers are abusing Gmail’s privacy preserving feature of not including the sender’s original IP in outgoing emails.

Spammers are increasingly using free e-mail providers to avoid IP address-based reputation systems. These systems track mail sent by various IP addresses and assign each IP address a rating. Some anti-spam software operates largely or exclusively on the basis of the IP address rating.

Roaring Penguin’s data shows that between June 13 and July 3, the percentage of US-originated spam originating from the top 3 free e-mail providers rose from about 2% to almost 4%. Roaring Penguin believes that spammers are using Google’s service in particular to send spam, relying on the fact that blacklisting Google’s servers is impractical for most organizations. According to their data, the probability that an e-mail originating from a Google server is spam rose from 6.8% on June 13 to 27% (!) on July 3.

Spammers and phishers are interested in clean IP reputation of free email providers and in the ability to freely create multiple bogus accounts that are being automatically registered by breaking the CAPTCHA based authentication. A CAPTCHA is a test designed to tell humans apart from computers (spam bots). It typically involves typing a word seen in an image or heard on an audio recording. All this allows them to reach the widest possible audience and ensure the successful receipt of their spam/scam.

David Skoll, CTO of Roaring Penguin Software, said: “The effectiveness of IP address-based reputation systems has increased the market value of a good IP address, making spam gangs concentrate their development efforts on breaking CAPTCHAs to create free e-mail addresses from which to spam. We predict a gradual but long-term decline in the effectiveness of IP address reputation systems.”

Websense Security Labs ThreatSeeker Network has discovered a substantial number of spam messages utilizing a social engineering tactic that lures users to download malicious software.

Spammers quickly react to the latest major online news updates, capitalizing on these events to achieve better success rates with their social engineering tactics. The recent media coverage discussing Osama Bin Laden seem to have prompted spammers to quickly recycle an old spam campaign.

The messages include a link to a compromised site which contains an obfuscated JavaScript that tries to exploit a rather old vulnerability corresponding to Microsoft Data Access Component (MDAC). Regardless of whether the exploit succeeds or fails, the visitor is then redirected to a page showing a fake security warning encouraging users to download anti-spyware tools to repair their system. Spammers usually use this tactic to encourage users to install rogue applications. In this particular example, the malicious file installs itself as a service on the system.

The same malicious executable is used throughout different spam campaigns bearing following email subjects lines:

Jennifer Aniston Interesting mp3!!!
Clara Morgane Shocking photo!!!
Kylie Minogue Interesting video without cowards!!!
Demi Moore New sexy songs!!!
Avril Lavigne Shocking porno dvd!!!
Nicole Richie Kick-up cd!!!
Beyonce Shocking sexy songs!!!
Keira Knightley Gallery photo!!!
Britney Spears Interesting cd!!!

The group behind the Storm Botnet has always been conscious of timing and this time a new malware spam wave had started, dedicated to Independence day of course. This spam wave directs the user to click on a link that encourages the intended victim to download an infected fireworks.exe file.

The Storm botnet launched the latest campaign in June 3rd. Here’s a partial list of subject lines seen in the latest spam messages:

Amazing Independence Day salute
Amazing firework 2008
America for You and Me
America the Beautiful
Celebrate Independence
Celebrate with Pride
Celebrating Fourth of July
Celebrations have already begun
Fabulous Independence Day firework
God bless America
Happy Fourth of July
Happy Independence Day
Independence Day firework broke all records
Light up the sky
Proud to be an American
Sparkling Celebration of Independence Day
Spectacular fireworks show
Stars and Strips forever
Super 4th!
The best firework you’ve ever seen
The best of 4th of July Salute
Well done 4th!

The body of the messages is similar to previous campaigns, with a one line phrase followed by an IP address, such as:

Amazing Independence Day salute http://123.456.789.000/
Amazing Independence Day show http://123.456.789.000/
Bright and joyful Fourth of July http://123.456.789.000/
Celebrate the spirit of America http://123.456.789.000/
Celebrating Fourth of July http://123.456.789.000/
Celebrations have already begun http://123.456.789.000/
Light up the sky http://123.456.789.000/
Proud to be an American http://123.456.789.000/
Stars and Strips forever http://123.456.789.000/
The best firework you’ve ever seen http://123.456.789.000/
Well done 4th! http://123.456.789.000/

Visiting the IP address would bring up a page with a fake online video player and a picture of fireworks inside the player. The following text is included below the image:

Colorful Independence Day events have already started throughout the country. The largest firework happens on the last weekday before the Fourth of July. Unprecedented sum of money was spent on this fabulous show. If you want to see the best Independence Day firework just click on the video and run it.

Users attempting to watch the fireworks video will instead be infected by malicious code.

The “video” links to an executable called fireworks.exe. In addition, the site also launches an invisible iframe with obfuscated malicious javascript ind.php.

A spam campaign that sends personalized phishing emails through Yahoo! Groups has recently been reported by TrendLabs researchers, Jake Soriano and Grace Ermitanyo (who provided detailed analysis about this attack). Phishers appear to have sent phishing emails through Yahoo! Groups via either the standard posting methods through Yahoo! Groups site’s Post Message feature or through sending an email to the group’s @yahoogroups.com address. Thus, users who receive this email from a Yahoo! Group (of which they are members) are likely to believe that it is legitimate.

The success of this phishing attempt further depends on how the group mailing list is actually moderated. There are settings in Yahoo! Groups spam abuse prevention that allow the moderator to approve all messages before they are sent out to members.

The phishing email provides a link that redirects the recipient to a website with a fake form. The form steals user identities by gathering personal and sensitive user information, such as phone numbers, PINs, passwords, account numbers and debit card numbers. These details are sent over to the phishers who may then peruse the information themselves or sell them in underground forums to cyber criminals.

In one particular case, clients of the Royal Bank of Scotland (rbs.co.uk) are targeted. In phishing email the URL is different from the actual bank domain and redirects to rtsrv.co.uk.

Moderators of Yahoo! Groups are advised to read about their options related to keeping their members safe from spam and phishing attempts at the Yahoo! Groups FAQ on spam abuse prevention.

Email communication in the Marshall Islands was paralysed Tuesday after hackers launched a “zombie” computer attack on the western Pacific nation’s only Internet service provider. The Marshall Islands is a Micronesian island nation in the western Pacific Ocean, located east of the Federated States of Micronesia and south of the U.S. territory of Wake Island.

The attack starting early Tuesday, in which hackers used computers taken over by viruses to flood the Internet provider with spam emails, caused a complete shutdown of email traffic into the nation of around 55,000 people. More than 18 hours after the initial attack Tuesday incoming email service to the monopoly provider had still not been restored.

The government-owned National Telecommunications Authority (NTA) was hit with a sudden increase in incoming email, which it described as an attack by “zombie computers”, said an NTA spokesman. While NTA customers could send and receive emails to each other through the local system, virtually no non-NTA emails had been received since Monday, impacting local businesses, banks and government offices.

“Some malevolent person unleashed infected computers to flood NTA with mail,” said an unnamed local information technology expert. “The fact that there were so many messages sent shows a degree of sophistication to the attack.”

Local officials said this attack was believed to be the first on the country’s only Internet service provider.

Nuwar spammers have recently moved from real news of natural disasters and current affairs to creating their own fictional events in an attempt to infect users computers. This new high volume spam campaign is using some attention drawing subjects to lure people into clicking on the links.

The spam message has a list of newsworthy subjects that are being used by both the subject and the message body. Here is a list subjects discovered so far by Sophos and McAfee:

Bad press surrounds US Army as renegade soldiers open fire on civilians
Boston’s MIT hit by massive corruption scandal
Click here for a massive boost to your sex life
Columbia admits directors have been stealing
DA rolls over on Britney foot-fault case
Don’t belittle the effects of power enlargement
Don’t let old age shrivel away your self esteem when you can maintain with herbal supplements
Don’t panic when you cannot score with the girl that you have a crush on
Dutch disqualified from Euro Championships
Enlargement does not involve putting a big hole in your pockets
Ex-Pentagon lawyers challenged on sex abuse in Iraq
Fantastic upgrade to your manhood available now
Gather your loose change to try out the revolutionary herbal supplement
Get the latest herbal enhancements to grow your large howitzer now
Gloomy Americans still spending money admist economy gloom
Great improvement to your sex life guaranteed
Harvard Medical School admits embezzlement by directors
Heir to Prada empire found strangled
Herbal supplement at merely 5 cents a day
Hollywood hit by Aids scandal, more than 20 stars implicated
Italy showed France the difference in length
Keep this new herbal supplement out of reach from your friends
Lakers bombed out after big loss to Celtics
Lindsay Lohan converts to Islam, causes uproar
Make sure you do not miss the action - get your organ enlargement package now
Obama caught with pants down with Clinton
Opponents of gay marriage stay quiet
Ralph Lauren found dead in country home
Red cross shown to abuse power in latest aid
Ring it up for Celtics after fantastic win
Studies have shown that this herbal solution really makes a difference in men’s health
The enlargement is so powerful it will make you increase in your strength
The greatest gift of all is the secret to the fountain of youth
The most affordable herbal supplement that works to increase your self esteem
The real reason why Anne Hathaway splits from longtime love
Try out the latest herbal solution that will make you a new superhero
US election campaign shames after sex scandal exposure
US Soldier throws boy off cliff, villagers enraged
You better be home to receive this package that will change your life
Britney found hanged in locker room
White House hit by lightning, catches fire
Oprah found sleeping the streets
Eiffel Tower damaged by massive earthquake
Donald Trump missing, feared kidnapped
Lastest! Obama quits presidential race

This clever social engineering technique exploits people weakness for news of natural disasters and celebrities. The emails contain plain text and always include a link that looks fairly harmless but in fact redirects to a web page that attempts to install malware.

In this particular campaign all the links go to a fake pornotube page hosted on legitimate sites that have been hacked. If you click on the video, which is actually just an image, it tries to download an executable file. This is detected by McAfee as BackDoor-DNM and also by most other anti-virus products. The spam is also currently detected by anti-spam products.

Users are advised to run updated anti-virus software and never click on links in an email unless they come from a verified person.