CyberInsecure.com

Archive for the ‘Spam’ Category

Websense Security Labs ThreatSeeker Network has discovered a substantial number of spam messages utilizing a social engineering tactic that lures users to download malicious software.

Spammers quickly react to the latest major online news updates, capitalizing on these events to achieve better success rates with their social engineering tactics. The recent media coverage discussing Osama Bin Laden seem to have prompted spammers to quickly recycle an old spam campaign.

The messages include a link to a compromised site which contains an obfuscated JavaScript that tries to exploit a rather old vulnerability corresponding to Microsoft Data Access Component (MDAC). Regardless of whether the exploit succeeds or fails, the visitor is then redirected to a page showing a fake security warning encouraging users to download anti-spyware tools to repair their system. Spammers usually use this tactic to encourage users to install rogue applications. In this particular example, the malicious file installs itself as a service on the system.

The same malicious executable is used throughout different spam campaigns bearing following email subjects lines:

Jennifer Aniston Interesting mp3!!!
Clara Morgane Shocking photo!!!
Kylie Minogue Interesting video without cowards!!!
Demi Moore New sexy songs!!!
Avril Lavigne Shocking porno dvd!!!
Nicole Richie Kick-up cd!!!
Beyonce Shocking sexy songs!!!
Keira Knightley Gallery photo!!!
Britney Spears Interesting cd!!!

The group behind the Storm Botnet has always been conscious of timing and this time a new malware spam wave had started, dedicated to Independence day of course. This spam wave directs the user to click on a link that encourages the intended victim to download an infected fireworks.exe file.

The Storm botnet launched the latest campaign in June 3rd. Here’s a partial list of subject lines seen in the latest spam messages:

Amazing Independence Day salute
Amazing firework 2008
America for You and Me
America the Beautiful
Celebrate Independence
Celebrate with Pride
Celebrating Fourth of July
Celebrations have already begun
Fabulous Independence Day firework
God bless America
Happy Fourth of July
Happy Independence Day
Independence Day firework broke all records
Light up the sky
Proud to be an American
Sparkling Celebration of Independence Day
Spectacular fireworks show
Stars and Strips forever
Super 4th!
The best firework you’ve ever seen
The best of 4th of July Salute
Well done 4th!

The body of the messages is similar to previous campaigns, with a one line phrase followed by an IP address, such as:

Amazing Independence Day salute http://123.456.789.000/
Amazing Independence Day show http://123.456.789.000/
Bright and joyful Fourth of July http://123.456.789.000/
Celebrate the spirit of America http://123.456.789.000/
Celebrating Fourth of July http://123.456.789.000/
Celebrations have already begun http://123.456.789.000/
Light up the sky http://123.456.789.000/
Proud to be an American http://123.456.789.000/
Stars and Strips forever http://123.456.789.000/
The best firework you’ve ever seen http://123.456.789.000/
Well done 4th! http://123.456.789.000/

Visiting the IP address would bring up a page with a fake online video player and a picture of fireworks inside the player. The following text is included below the image:

Colorful Independence Day events have already started throughout the country. The largest firework happens on the last weekday before the Fourth of July. Unprecedented sum of money was spent on this fabulous show. If you want to see the best Independence Day firework just click on the video and run it.

Users attempting to watch the fireworks video will instead be infected by malicious code.

The “video” links to an executable called fireworks.exe. In addition, the site also launches an invisible iframe with obfuscated malicious javascript ind.php.

A spam campaign that sends personalized phishing emails through Yahoo! Groups has recently been reported by TrendLabs researchers, Jake Soriano and Grace Ermitanyo (who provided detailed analysis about this attack). Phishers appear to have sent phishing emails through Yahoo! Groups via either the standard posting methods through Yahoo! Groups site’s Post Message feature or through sending an email to the group’s @yahoogroups.com address. Thus, users who receive this email from a Yahoo! Group (of which they are members) are likely to believe that it is legitimate.

The success of this phishing attempt further depends on how the group mailing list is actually moderated. There are settings in Yahoo! Groups spam abuse prevention that allow the moderator to approve all messages before they are sent out to members.

The phishing email provides a link that redirects the recipient to a website with a fake form. The form steals user identities by gathering personal and sensitive user information, such as phone numbers, PINs, passwords, account numbers and debit card numbers. These details are sent over to the phishers who may then peruse the information themselves or sell them in underground forums to cyber criminals.

In one particular case, clients of the Royal Bank of Scotland (rbs.co.uk) are targeted. In phishing email the URL is different from the actual bank domain and redirects to rtsrv.co.uk.

Moderators of Yahoo! Groups are advised to read about their options related to keeping their members safe from spam and phishing attempts at the Yahoo! Groups FAQ on spam abuse prevention.

Email communication in the Marshall Islands was paralysed Tuesday after hackers launched a “zombie” computer attack on the western Pacific nation’s only Internet service provider. The Marshall Islands is a Micronesian island nation in the western Pacific Ocean, located east of the Federated States of Micronesia and south of the U.S. territory of Wake Island.

The attack starting early Tuesday, in which hackers used computers taken over by viruses to flood the Internet provider with spam emails, caused a complete shutdown of email traffic into the nation of around 55,000 people. More than 18 hours after the initial attack Tuesday incoming email service to the monopoly provider had still not been restored.

The government-owned National Telecommunications Authority (NTA) was hit with a sudden increase in incoming email, which it described as an attack by “zombie computers”, said an NTA spokesman. While NTA customers could send and receive emails to each other through the local system, virtually no non-NTA emails had been received since Monday, impacting local businesses, banks and government offices.

“Some malevolent person unleashed infected computers to flood NTA with mail,” said an unnamed local information technology expert. “The fact that there were so many messages sent shows a degree of sophistication to the attack.”

Local officials said this attack was believed to be the first on the country’s only Internet service provider.

Nuwar spammers have recently moved from real news of natural disasters and current affairs to creating their own fictional events in an attempt to infect users computers. This new high volume spam campaign is using some attention drawing subjects to lure people into clicking on the links.

The spam message has a list of newsworthy subjects that are being used by both the subject and the message body. Here is a list subjects discovered so far by Sophos and McAfee:

Bad press surrounds US Army as renegade soldiers open fire on civilians
Boston’s MIT hit by massive corruption scandal
Click here for a massive boost to your sex life
Columbia admits directors have been stealing
DA rolls over on Britney foot-fault case
Don’t belittle the effects of power enlargement
Don’t let old age shrivel away your self esteem when you can maintain with herbal supplements
Don’t panic when you cannot score with the girl that you have a crush on
Dutch disqualified from Euro Championships
Enlargement does not involve putting a big hole in your pockets
Ex-Pentagon lawyers challenged on sex abuse in Iraq
Fantastic upgrade to your manhood available now
Gather your loose change to try out the revolutionary herbal supplement
Get the latest herbal enhancements to grow your large howitzer now
Gloomy Americans still spending money admist economy gloom
Great improvement to your sex life guaranteed
Harvard Medical School admits embezzlement by directors
Heir to Prada empire found strangled
Herbal supplement at merely 5 cents a day
Hollywood hit by Aids scandal, more than 20 stars implicated
Italy showed France the difference in length
Keep this new herbal supplement out of reach from your friends
Lakers bombed out after big loss to Celtics
Lindsay Lohan converts to Islam, causes uproar
Make sure you do not miss the action - get your organ enlargement package now
Obama caught with pants down with Clinton
Opponents of gay marriage stay quiet
Ralph Lauren found dead in country home
Red cross shown to abuse power in latest aid
Ring it up for Celtics after fantastic win
Studies have shown that this herbal solution really makes a difference in men’s health
The enlargement is so powerful it will make you increase in your strength
The greatest gift of all is the secret to the fountain of youth
The most affordable herbal supplement that works to increase your self esteem
The real reason why Anne Hathaway splits from longtime love
Try out the latest herbal solution that will make you a new superhero
US election campaign shames after sex scandal exposure
US Soldier throws boy off cliff, villagers enraged
You better be home to receive this package that will change your life
Britney found hanged in locker room
White House hit by lightning, catches fire
Oprah found sleeping the streets
Eiffel Tower damaged by massive earthquake
Donald Trump missing, feared kidnapped
Lastest! Obama quits presidential race

This clever social engineering technique exploits people weakness for news of natural disasters and celebrities. The emails contain plain text and always include a link that looks fairly harmless but in fact redirects to a web page that attempts to install malware.

In this particular campaign all the links go to a fake pornotube page hosted on legitimate sites that have been hacked. If you click on the video, which is actually just an image, it tries to download an executable file. This is detected by McAfee as BackDoor-DNM and also by most other anti-virus products. The spam is also currently detected by anti-spam products.

Users are advised to run updated anti-virus software and never click on links in an email unless they come from a verified person.

Botnet operators are using false reports about an earthquake near Beijing that could disrupt the Olympic games to spread malware. Unsolicited emails discovered to be a part of a new malicious spam campaign that claims another earthquake has just occurred in China, and could derail the upcoming Olympic Games.

Samples of the bogus alert doing the rounds intercepted by SophosLabs, featuring subject lines such as “Million dead in Chinese quake” and links to websites on a .cn domain. These sites claim a quake measured in at 9.0 on the Richter scale has caused millions of casualties. The pages contain links to a supposed video that actually downloads the Nuwar-E malware onto the Windows based PCs.

Net security firm Sophos reports that the .cn domains advertised in that attack are likely to be part of a botnet. Each DNS query for the domains returns a different IP address, indicating a changing network of compromised hosts are serving up the malware.

The recent Chinese earthquake is still so fresh in people’s minds, that many computer users won’t think twice before opening this email and clicking on the link. The spammers are using one of the most common tricks in an attempt to spread their malware, and if people continue to open unsolicited emails, unfortunately the spammers will continue.

Sophos experts note that by using the highly-anticipated Olympic Games due to take place in Beijing in August, the spammers are hoping to take advantage of the excitement surrounding the event in order to trick unsuspecting computer users into downloading their malware. Spammers are hoping that computer users will be so eager to find out more that they’ll forget their common sense when it comes to their emails. According to Sophos, we’re likely to see more spam messages referencing the upcoming Olympic Games as we get nearer to the event.

Over the last few months endless malware campaigns abused Google and DoubleClick redirect links in their spam. Clicking on such safe looking link will result a redirection to a malware hosting site and an infection of user’s Windows running machine.

Even though it took Google some time to close this redirection, the malware authors have successfully switched to Dogpile.com redirection vulnerability. Here is an example of Dogpile.com cross-site scripting vulnerablity that allows redirection of visitors who click a link originating from dogpile.com domain:

http://www.dogpile.com/clickserver/_iceUrlFlag=1?
rawURL=http://CNN.com&0=

It is safe clicking on this link, it will just redirect you to CNN.com. Malware authors are actively using this redirection to infect users by sending them confusing, safe looking links to exploit hosting sites. The sad thing about it is that another redirection vulnerability on Dogpile was discovered and reported back in Novermber 2007. It is still unfixed.

Google has done quite a bit to fix the redirection problem, Dogpile should aslo fix it soon (hopefully), but the party will just move on to a different location. A good example would be a redirection vulnerability on Devicelock.com, reported by XSSed and still unfixed.
DeviceLock, Inc. is a “worldwide leader in endpoint device control security” and on their website they offer a security solution that prevents unauthorized access to USB devices. They are proudly using a Content Managment System (CMS) called Bitrix and here is the redirection example on their website:

http://www.devicelock.com/bitrix/redirect.php?event1=
demo_out&event2=sm_demo&event3=pdemo&goto=http://CNN.com

Lets say an average user is receiving an email with a link like the one above. The email says that he is a winner of some free DeviceLock promotional product and all he needs to do to claim it is clicking that link. User clicks the link, being redirected to a malware hosting site and another Windows machine probably gets infected. Although the number of popular and trusted domains is limited, it seems malware spam techniques will contain various redirection links for a long time.

Spammers have adopted Google Docs in order to gain the credibility of Google’s domain, since spam filters would not declare a Google link as spam. According to MessageLabs, this latest spammers technique is used to get around blocking and blacklisting of spam hosting domains.

Since hosted Google Docs have the domain docs.google.com, it could be possible to ban that address, but there many users of this documentation platform and there will be a high amount of blocked proper non-spam emails. A very popular way to block spam is with URL block lists, but with the name “Google” in it, it’s never going to be blocked because of all the legitimate uses.

Sending attachments like JPGs or Word .doc files has proven less than successful when compared to just sending the user a link and thats why the new misuse of Google Docs might become more popular. Spam with just a URL also isn’t foolproof. Spam filters have relied on checking the links in e-mails and blocking them based on suspicious Web addresses.

The way around this is checking the IP of the sender which might be hard for companies. Unless they can do it based on source IP, the only way to catch it is through sender IP reputation level.

There is also a good side in this technique, and it is the fact that Google Docs pages are much less dynamic than HTML. The best spammers can do is put links in the page to get victims to click through to another site. HTML code can not be embedded, no malicious IFRAME can be added, no malicious JavaScript code could run. Another problem would be creation of a lot of Google accounts. It wouldn’t be easy to do because Google has methods in place to stop automation of account creation (CAPTCHA).

MessageLabs has found am example, a typical sexual enhancement advertisement, that asked the recipient to click on the link to a Google Doc page. From the page, more links to purchase Viagra. The page was reported as spam to Google on May 8 but the page is still live.

So far, MessageLabs hasn’t seen large numbers for this method yet, but Google’s Blogspot blogging service is frequently used by spammers, so the spammers may just be getting started. Spammers still use Blogspot as an intermediate drop page, so they may refine this method a little more and stick with it, unless it fails their spamming hopes and they drop it.

There is no Google response available on this subject at this moment.

Spammers and scammers are always ready to jump on the latest disaster or big news headline to try and exploit users. This time its time to exploit the Chinese earthquake disaster, which killed more than 50,000, to push scams and malware spam.

In one report scammers sent out text messages enticing people to send donations to fund the aid for helpless victims. Today there was a report of spam message allegedly from a Filipino seeking financial aid to follow his wounded wife in China.

Here are the first and last portions of the long-winded letter designed to get merciful recipients to take action, i.e. donate money. It starts with:

Dear friend,

I do not know your exact name. I can only guess. I ask you to read through my letter up to the end.

And ends:

And still, if you will be able to help me I shall consider you to be the best man in this world. You will save a life of mine Jin. I shall write the data on which I will be able to receive cashes in Philippines through Western Union.

Next there are emails with infected Word attachments that include MalDoc-Fam Trojan. They being distributed in messages that pose as news about the disaster, net security firm Sophos reports. The malware-tainted emails typically appear with body text suggesting they contain news from China’s official press agency, Xinhua:

BEIJING, May 20 (Xinhua) — The death toll from the earthquake in southwest China’s Sichuan Province has risen to 34,074 nationwide as of 2 p.m. Saturday, while 198,347 people were injured, according to the Information Office of the State Council. Pay attention to attachment for more.

Opening the attached Word document triggers an exploit that downloads malware onto vulnerable Windows PCs. The MalDoc-Fam Trojan is more than a year old, dating from March 2007.

These schemes, much like during those that surfaced during previous tragedies, are surely only some of the many that will continue to use this ploy.

Recent reports tell that even the official Web site for donations to the eathquake victims in China, the Chinese Red Cross, has itself been hacked to divert donations elsewhere. Ironically, even if you carefully donate only to legitimate organizations, you can never be sure who will actually get the money nowadays.

Users should be extremely cautious in extending their help. If possible, keep a closer watch of who gets the donation and where it goes.

Users of Stickam.com, a live webcam chat site with more than two million members, many of them teenagers, have been spammed this month with messages that mention Stickam but promote pornographic live video sites. The spam message pretends to be sent by a friend from Stickam and offers victims to send a message to certain MSN messenger address. If you send messages to the included address, you get a link to a page promoting one woman’s offerings on SlickCams, a live pornography site that appears to be unrelated to Stickam.

Many of the people receiving the spam are assuming that it is coming from Stickam. Stickam says it is not sending the messages — but it is the source of the e-mail addresses to which they are being sent. Hackers broke into a message board system on the site in November and made off with the addresses that are now getting spam.

The spam attack comes at an awkward time for Stickam, which has developed a reputation as a place where teenagers do things they probably shouldn’t be doing in front of webcams. Its image was not helped by the revelation that it is backed by a large online pornography business.

The hacking problem raises questions about whether the site is doing enough to protect its users’ personal information. Stickam released a statement from its chief executive, Steven Fruchter, saying that the spam was “a result of illegal hacking on an old community forum system, which is no longer used.” Stickam.com has alerted the law enforcement authorities and is working closely with them to pursue legal action against those involved. The company was working with “the Secret Service and a specialized Internet security research firm” on a continuing investigation into the hack. He said that the spam problem should not affect people who have joined the site since the break-in, and that Stickam has taken steps “to ensure this type of event can never happen again.”

Credit: David F. Gallagher, The New York Times Bits