Computer Security Articles

Malware distribution via email is far from dead.  While we had a distinctly quiet period from October 2010 to March 2011, our stats show the bot herders are gearing up again with the proportion of spam with malware attachments rising, although still not as high as the peaks we saw mid last year when the Bredolab and Cutwail botnets were in full swing.

Malicious spam on the increase again

After the bot herders took a brief Easter break, they are back to sending new waves of malicious spam. The first spam campaign was sent by the Cutwail botnet earlier this week. The email claims to be an invoice from Bobijou Inc. – an online jewellery brand. There is a chance that people might fall into this trap especially as it claims money on your credit card was involved. But take a closer look at the subject line: Successfull Order 3677718, that wrong spelling should easily alert you that this email is a scam.

Cutwail Spam Campaign

Another malicious spam campaign originating from the Donbot botnet that came in later this week. It uses a common, uncreative theme with subject line like, “my hot pic : )“, “my naked pic is attached“, etc.  The Donbot botnet’s spam output is on the rise and this is the first time we have seen it spreading malicious attachments.

Dontbot Spam Campaign

Both spam campaigns contain a zipped attachment which, once extracted, contains an executable file that downloads – surprise, surprise – Fake Antivirus:

In addition, this week we have been seeing more of the Asprox botnet’s “Spam from your Facebook account” campaign, that preys on peoples fears about the security of their Facebook accounts. This campaign first came out last year, illustrating that the bot herders behind Asprox often cycle their spam campaigns between UPS, DHL, FEDEX and iTunes Gift Certificate among others.

Recent Facebook spam campaign sent by Asprox

The attachment is a Trojan that aims to seed the Aprox bot executable in the infected host, which is then used for spamming purposes.

SMTP transaction of an Asprox’s process ASPIMGR.EXE

We have blogged about these types of threats many times before.  In a sense, it’s the same old stuff with slightly different social engineering. Be wary.

The Royal Wedding of Prince William and Catherine Middleton that will be held tomorrow, on April 29, will attract the attention of many people around the world, and has become a trending topic on various websites, especially the social networking sites.

No doubt, it also became an easy target for the malware authors to spread their malware using SEO poisoning techniques. This Black Hat SEO technique has been used by malware writers from time to time, using hot topics to improve their site ranking on the search engine results.

As you can see on Google Trends and Google Insights, the search volume increases massively, and it also happens on Facebook and Twitter.

When you do a search related to this, some of the results point to malicious websites.

When a victim clicks such a link, he is redirected to a malicious site that forces a download of a fake antivirus:

• http://rnzrrljt.co.cc/[censored]
• http://xnslrqlr.co.cc/[censored]

These point to the IP: 78.26.179.10.

The malicious site shows fake scanning dialogs and also displays fake alert messages.

Once the downloaded file is executed, the rogue application starts its actions.

The used name of this rogue application can be different. In our tests, the name of this fake antivirus is “Win 7 Anti-Spyware” on Windows 7, but on XP it shows up as “XP Home Security 2011″.

Emsisoft Anti-Malware detects this malware as Trojan.Win32.FakeAV. Currently, based on Virus Total, the detection rates are still low, only 10 of 41 detect it.

We have seen countless number of rogue security products for Windows platform however this one is targeted to trick mobile users.

The sample masquerades itself as a certain AV for mobile and always reports that it has identified two threats in the mobile and pretends that it has encountered an error while trying to cure. It provides the users an error code as a reference token of the error scenario.

Fig.1: “scanner” is ready to be launched

Launching the “scanner” presents a friendly UI. The rough translation of the message written in Russian is: “Check your phone for viruses?” with a command button having the value “yes”.

Fig.2: The GUI that precedes the “scan”

Clicking “Yes”, the GUI shown in fig.3 is presented to the user. The translation of the progress bar message is “Checking files …”. During the scan, the sample plays an audio (.wav) file in the background (a crash sound)

Fig.3: The “scanning” progress bar

After few seconds of “scanning”, the sample displays a message that translates to the following:
“Result:
Trojan moby | C: \ sys.log
RebBrowser | C: \ sys.ini
Remove?”

Fig.4: Hardcoded results being displayed as a scan result

When the user chooses to remove the “identified threats”, the sample ends up with presenting the following message which translates to “An error was detected! Error code: 07931020″

Fig.5: The “error” message

This sample is supposedly spread by some social engineering tricks where the users would have been provided with support numbers/email id to contact to resolve these error codes displayed in screen 5. This info was missing to conclude how the malware authors were actually getting the money.

As mentioned in our earlier blogs, the best defence against such social engineering tricks is the education of users coupled with a mobile security solution. With the exponential growth of the smart phone market, it is expected such kind of threats will be growing proportionately.

We advise users to exercise basic security principles while surfing and be sceptical of free downloads , and as always keep your security products up to date.

The malware authors every now and then send us virus researchers some messages. For example in the compiled binary itself, or as debug output. Now we found a Zbot Trojan variant which tries to evade detection by carrying a digital certificate and therewith looking more legitimate. And this certificate is registered to “DetectMe! ”, also adding random data behind the certificate.

We see hints like these regularly – malware authors proposing names for their malicious creations or suggesting a place where a signature based detection would be suitable. Of course, such hints are ignored by us for detection but make us smile for a short time.

In this special case, our heuristics already notice other suspicious properties of the file and Avira thus detects the malware as TR/Crypt.ULPM.Gen.

Stefan Kurtzhals
Engine R&D

Dirk Knop
Technical Editor

A little while ago, phishing mails claiming to be from NACHA were in circulation – it seems the phishers have had enough of that, deciding to send out malicious files instead.

The mail claims an attempted bank transfer has gone horribly wrong, and you should open up the file listed as .pdf.exe – whoops – to see what all the commotion is about.

Click to Enlarge

Hitting the link takes you through a couple of URLs – freenacha-s(dot)info and fasdfq(dot)co(dot)cc/forum(dot)php?tp=27f57d3dcb81f8c0, with a fake 404 error page which serves up a rogue anyway (a member of the FakeSysDef family).

Click to Enlarge

reportAB8839.exe will give you an unwanted vistor, in the shape of Trojan.Win32.FakeAv.awrp (v). VirusTotal report currently gives a total of 7/40 detections. At time of writing, both Freenacha and fasdfq URls actually do appear to be offline, but the download location for the executable (nacha-report-download(dot)com) is still alive and kicking. No doubt it’ll appear in a few more emails before the site goes offline for good.

Christopher Boyd (thanks to Bharath and Joseph).

The highlighted fake security message in the above images varies each time with different trojan count. If you look at the source code of these webpages, it has been randomized for each subsequent visit. Here is a sampling of the altered source code:

The code contains different random variables and fake security warnings, which have been split into smaller variables in an effort to evade antivirus and IDS/IPS engines that may seek to match common string patterns. As with other fake AV sites, when a victim visits the page, he is social engineered into downloading fake security software which in turns out to be malicious program. Interestingly, each time you visit this website the malicious binary changes, which results in a different MD5 hash. The size of those malicious binaries remains same. Here are the MD5 hashes for different binaries downloaded from the same website:

The Virustotal AV detection results remain very poor with only 8/43 antivirus vendors detecting the files as malicious. Here are the results for above binaries:

http://www.virustotal.com/file-scan/report.html?id=524b2ae5004d1e80628c7e69363e6a0d6357e5a01340bf0f1a9c406d9f38cd77-1300754240

http://www.virustotal.com/file-scan/report.html?id=00d2f5827712547c18e294123f7984268cc47cc2b225a9214873584178cdc058-1300754363

http://www.virustotal.com/file-scan/report.html?id=ee3c2057135d084ea8fdeba2e3f4b8c4501728ef40fcc62bec84da4cddca7352-1300754286

http://www.virustotal.com/file-scan/report.html?id=8d4ac1aeb83f18c401b0df447e5fba2a6a02a744de6f7404a76939bd4278da94-1300754302

The example demonstrates that pure pattern matching engines will fail to detect the attack based on pattern matching strings in source code. Randomization of malicious binaries will also evade good antivirus engines.

Thanks

Umesh

When analyzing malware, we often look for strings within the malware samples. Those give some interesting insights about the malware, its creators or the targets, for example. While poking into a fake system optimizer, after some decryption layers we also found some interesting strings:

Especially funny is the string “Don’t stop me! I need some money!” which seems to get used as mutex. Also you can see some affiliate IDs which indicate that someone uses a pay-per-install-system like we reported about earlier.

The fake system optimizer claims that it needs to defrag the harddisk and that there are huge areas unreadable and the access times are greater than 500ms. This is pure BS, of course. But for less computer-savvy people this may sound compelling.

We detect this malware as TR/Crypt.ZPACK.Gen2 and constantly add new detections for new variants to improve the security of Avira users.

Moritz Kroll
Engine R&D

Dirk Knop
Technical Editor

Looking at the above images, you can see that the structure of code remains the same and only the variable names are randomized. Even the source of the page contains only a body tag and the malicious JavaScript. When this page loads, it starts creating animations that deliver security warnings to scare the victim. Here is one example:

As I mentioned in the earlier blog post, these are fake security attempting to coerce the victim into downloading fake antivirus software that will download additional malware onto the system. The code for doing these animations and initiating the download of malicious binaries is hidden inside the malicious script. Let’s decode the main script. The malicious JavaScript code has two functions defined and three lines of code to decode the content. Here is how they look:

The variable “euqbvulz” is passed in the first iteration to the decoding function “ikcmfynlzk()”. The decoded content is then stored in a variable called “wfuaydtmd”. The “wfuaydtmd” variable is again passed to in a second iteration to a second function called “fiyctdv()” with a “document.write()” function call. So the code will go through two iterations of the decoding. Let’s decode this code using Malzilla.

Malzilla successfully decoded the contents. But the decoded results contain another three heavily obfuscated JavaScript snippets and some HTML code. Let’s decode them one by one. Here is first one:

The first malicious JavaScript snippet decodes to the HTML “title” tag, which will be displayed as the title of the webpage, claiming it is a legitimate Windows security website. This means the HTML code displaying warnings and animation is hidden in the remaining malicious scripts. Here is second one:

The above script code will load the animated images with message “Initializing virus Protection System…”. Here is the third one:

If you look at the above image, you will notice some strings related to security, which suggests that this JavaScript code actually loads the animation. The first variable is declared as “strategy” so the strategy used by the attacker is to load the variable with JavaScript code in a CSS format. Here are some of the screenshots of that CSS code:

So, the code displaying the security warnings and messages are obfuscated multiple times by the attacker. You will notice the strings used by the attacker are displayed in warning images mentioned in the first few images. Due to the heavy obfuscation used, the detection rate remains very poor for legitimate antivirus vendors when scanning this HTML file.

Umesh

There’s falling on your sword, and there’s using Skype to call security researcher Adam Thomas then trying to sell him some fake AV.

This is an example of the latter.

The site involved was sosdl(dot)com (currently offline) and here’s a screenshot:

Click to Enlarge

The payment account is still live:

Click to Enlarge

Not sure I’d pay $ 19.95 for “instant repair”, but I’m sure somebody will find it tempting.

Read more about the fun people are having with rogue AV phonecalls over on the Brian Krebs blog., and keep an eye out for random URLs being thrown around Skype with “sos” in them.

Christopher Boyd (Thanks Adam).

We are tracking the trails of this fake "System Defragmenter" software since its first appearance last October 2010, and have warned our customers in our earlier post about this trojan software. In this follow-up post, we give an update including a new variant worth noting for our customers.

The fake system defragmenter family (FakeSysdef) is similar to rogue software in many ways, such as presenting forced installations, a polished user interface, false and annoying errors and a request (requirement) that users buy a license. This ultimately is the goal of the scammers – to extract money.

“Brands” or aliases
Common strategies of fake software include branding or use of different names and aliases, and this family is no different, releasing 2 or 3 rebranded variations every week. Many of them are listed in the table below, including the recent “WinScan” that we dissect in this post later on.

The Packers
FakeSysdef uses a few different packers. Figure 1 shows the custom-packer used by this rogue. FakeSysdef uses a relatively simple custom packer that in turn, uses an anti-emulation trick in its bid to thwart emulators.

Figure 1 – Illustration of packing layer and obfuscation by FakeSysdef

Perhaps, what is important to note about this packer is that it’s being used by other malware such as Rogue:Win32/Sirefef, Rogue:Win32/FakeRean, some variants of TrojanDownloader:Win32/Harnig and Rogue:Win32/Winwebsec and, recently, Rogue:Win32/FakeSpypro as well.  It is not uncommon for malware to share packers; identifying the packer can be sufficient to classify the packed file as malicious. (See “Standards and Policies on Packer Use”, our blog post about the use of “taggants” to identify a packer family).

The packer layer decrypts the code and copies the decrypted code to the newly allocated memory before jumping to the second layer, or the injector stub. The injector stub can be easily recognized by the starting code similar to that shown below:

The first two calls just get the base addresses of KERNEL32.DLL and NTDLL.DLL. With the base addresses in hand, the injector can now easily retrieve other needed APIs by parsing the DLL’s Export Address Table, including the RtlDecompress() API, to uncompress the embedded executable using COMPRESSION_FORMAT_LZNT1:

00A41D21                 push    edx             ; RtlDecompressBuffer
00A41D22                 mov     eax, [ebp+_NTDLL_]
00A41D28                 push    eax
00A41D29                 call    _getprocaddress
00A41D2E                 mov     [ebp+var_204], eax
00A41D34                 lea     ecx, [ebp+var_90]
00A41D3A                 push    ecx
00A41D3B                 mov     edx, [ebp+arg_0]
00A41D3E                 mov     eax, [edx]
00A41D40                 push    eax             ; CompressBufferSize
00A41D41                 mov     ecx, [ebp+arg_0]
00A41D44                 add     ecx, 4
00A41D47                 push    ecx             ; CompressedBuffer
00A41D48                 mov     edx, [ebp+arg_4]
00A41D4B                 push    edx             ; UncompressedBufferSize
00A41D4C                 mov     eax, [ebp+var_19C]
00A41D52                 push    eax             ; UncompressedBuffer
00A41D53                 push    COMPRESSION_FORMAT_LZNT1 ; Format
00A41D55                 call    [ebp+var_204]   ; RtlDecompressBuffer

The injector then fixes the PE image in memory after stuffing the now-decompressed code into the host’s own address space. Finally, it jumps to the final entry point of the malicious program, and begins the installation:

00A42957                 mov     [ebp+var_1C], ‘A’
00A4295B                 mov     [ebp+var_1B], ‘l’
00A4295F                 mov     [ebp+var_1A], ‘l’
00A42963                 mov     [ebp+var_19], ‘ ‘
00A42967                 mov     [ebp+var_18], ‘d’
00A4296B                 mov     [ebp+var_17], ‘o’
00A4296F                 mov     [ebp+var_16], ‘n’
00A42973                 mov     [ebp+var_15], ‘e’
00A42977                 mov     [ebp+var_14], ‘.’
00A4297B                 mov     [ebp+var_13], ‘C’
00A4297F                 mov     [ebp+var_12], ‘a’
00A42983                 mov     [ebp+var_11], ‘l’
00A42987                 mov     [ebp+var_10], ‘l’
00A4298B                 mov     [ebp+var_F], ‘i’
00A4298F                 mov     [ebp+var_E], ‘n’
00A42993                 mov     [ebp+var_D], ‘g’
00A42997                 mov     [ebp+var_C], ‘ ‘
00A4299B                 mov     [ebp+var_B], ‘O’
00A4299F                 mov     [ebp+var_A], ‘E’
00A429A3                 mov     [ebp+var_9], ‘P’
00A429A7                 mov     [ebp+var_8], 0
:
00A429BD                 mov     edx, [ebp+arg_0]
00A429C0                 add     edx, [ecx+10h]
00A429C3                 mov     [ebp+_final_entry_point], edx
00A429C6                 mov     esp, [ebp+arg_8]
00A429C9                 xor     eax, eax
00A429CB                 mov     edi, [ebp+arg_14]
00A429CE                 mov     esi, [ebp+arg_10]
00A429D1                 mov     ebx, [ebp+arg_C]s
00A429D4                 jmp     [ebp+_final_entry_point]

New variant?
Earlier in February, we received an attention-getting new sample of FakeSysdef from a customer. At first we thought it was different malware, but looking closely and analyzing the sample, it was indeed a major modification to the FakeSysdef family.

For comparison, previous variants use the same interface and logo with an icon similar to a trojan horse:

Figure 2 – Various branding for FakeSysdef

This most recent FakeSysdef sample is using a new interface, though you can tell that it’s part of this family because the menu, texts and (fake) errors messages are still the same (see Figure 3):

Figure 3 – New FakeSysdef GUI

The new variant is armored with a new shiny GUI and its scareware tactics are rather alarming and more aggressive, leaving the computer virtually useless until the user pays for the license to fix the bogus errors.

It is packed with UPX, a packer that is plain and simple without complex obfuscation that would make analysis more difficult. This is an indication that it’s in the early stages of development and still lacks emphasis on malware “hardening” intended to hide the malware from scanners and malware researchers alike.

The Loader
The main executable component arrives as an EXE file and acts as a loader. It first terminates the Internet Explorer process if found running. On computers running Windows Vista and later, it makes sure that it runs as an elevated privilege process. Then it drops a DLL file such as the following:

"C:\Documents and Settings\All Users\Application Data\aJnsgXnTGrqWD.DLL”

It injects the DLL to the specific process name EXPLORER.EXE. After a while, it starts to display a fake error message:

Figure 4 – Fake error message

FakeSysdef injects the DLL file into processes (upon reboot) with the following registry change:

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls, “AppSecDll” = "<DLL_PATH>"

The DLL code is kind of selective by only allowing itself to run under specific target processes, so it effectively injects itself only to Explorer.exe, Winlogon.exe and userinit.exe processes.  After injection, it tries to connect to a hardcoded URL, perhaps to phone home its affiliate ID for a pay-per-install scheme:

<site>/404.php?type=stats&affid=487&subid=new05&awok

As of this writing, the associated site “findcopper.org” and URL requested is no longer available.

Scaring the user
The DLL component creates a black BMP file on the fly based on the operating system (Productname) and service pack number queried from registry data, and sets the created BMP as the desktop background (see Figure 5). This BMP file is dropped in the Temporary files folder and will appear to be an authentic “Safe Mode” boot background which will be used later on after a forced reboot by the trojan.

FakeSysdef also disables the background tab options of the Windows desktop configuration to make sure that the new desktop background will not be altered, with the following registry modification:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop, “NoChangingWallPaper”=”1”

It may terminate more active processes and will, finally, force the machine to reboot. Once rebooted, the malware begins its assault by showing a fake Windows boot failure error dialog box at the background, with the BMP created earlier on top of it, simulating Safe Mode:

Figure 5 – Fake Safe Mode and “Windows Boot Failure” dialog after reboot

This is followed by a disk diagnostics dialog that will request permission to diagnose the “disk problems”. Annoying disks and memory errors will pop-up to assert its presence and create more panic for the user. Eventually, the malware will offer a module to download and “fix” those errors. If the user doesn’t accept the fix, the malware will again reboot the computer and the process repeats itself again and again, until the user might just give up and allow the “fix” module to run.

The machine appears useless now and will not allow any application or program to be executed, leaving the hapless user seemingly no choice but to accept the fix and repair offered from the rogue authors (see Remediation at the end of this blog). Yes, that’s the scareware tactics.

The remainder of symptoms by this trojan variant are already similar to previous variants – before it fixes the errors, you need to activate the module by purchasing a software license from these malware makers. It opens a simple, custom browser showing a very legit-looking “secure and verified” webpage.

Rogue Call-back and Affiliate Sign In
This trojan family phones home to a remote website to record its installation stats such as how some other malware is installed and the affiliated ID, presumably for pay per install business transactions. This network communication and behavior makes it possible to write IDS/IPS signatures to detect and block its network activity. Our data shows that FakeSysdef has the following outbound connection string formats:

<website>.com/dfrg/dfrg
<website>.com/readdatagateway.php?type=stats&affid=<AFFID>&subid=<SUBID>&
<website>.com/customers/readdatagateway.php?type=stats&affid=<AFFID>&subid=<SUBID>&
<website>.com/404.php?type=stats&affid=<AFFID>&subid=<SUBID>&

Example URLs:

<website>readdatagateway.php?type=stats&affid=427&subid=01&version=5.0&adwareok
<website>/customers/readdatagateway.php?type=stats&affid=427&subid=02&version=5.0&installok
<website>/404.php?type=stats&affid=484&subid=t01&version=5.0&installok

Some of the sites contacted by this family include (edited):

<string>across.org
<string>finddivide.org
<string>findexchange.org

At least one of the sites involved allows the malware affiliate to log on as displayed below:

Figure 6 – Example of the affiliate logon portal

Remediation
There is a somewhat painless method to remove this trojan without giving in and paying the trojan. The basic steps are to start the computer in safe mode, delete the trojan DLL responsible as well as the scary bitmap wallpaper, then reboot and scan.

The DLL is identified by reviewing the registry data “<DLL_PATH>”:

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls
“AppSecDll” = "<DLL_PATH>"

The bitmap is stored as either “wall.BMP” or “<random>.BMP“ in the Temporary files folder. The trojan also sets a policy to prevent the user from modifying the desktop wallpaper via a registry setting named “NoChangingWallPaper”. Windows customers requiring additional help can get assistance from our online support site http://support.microsoft.com/ or via phone by calling 1-800-PC-SAFETY (1-800-727-2338).

Conclusion
Despite its simplistic approach, and with its recent code modifications, FakeSysdef tells us two things: (1) the malware authors are getting a reasonable amount of money from their operation, and (2) it seems we will be seeing more of this trojan in the coming months.  The hardcoded strings – Uniform Resource Identifier (URI), filenames, etc. — suggest that the scammers are using a toolkit or builder to compile new releases.

Hopefully, you found this post helpful. MMPC will continue to track and haunt them until the game is over.

– Rex Plantado, MMPC

Websense® Security Labs™ Threatseeker® network has detected a new malicious email campaign that masquerades as originating from Facebook. The campaign appears to actually be originating from the Cutwail/Pushdo spam bot. This time round, the Cyber criminals employ two attack vectors: social engineering and an exploit kit. Both end up with the Zeus/Zbot Trojan installed on the targeted machines.  

Websense customers are protected from this attack with our Advanced Classification Engine analytics, our suite of technologies within TRITON.

Here is an example of a malicious email in Spanish:

The malicious email is spoofed to appear to be coming from Facebook.com and says: "Hi, someone loves your photo comments, please click on the link to see all comments". It provides a fake URL disguised as a formal Facebook link. Once clicked, the user is redirected to an attack page and is prompted to download and run an "update" from Facebook. The "update" file is a Zeus/Zbot Trojan variant. At the time of writing, the file had only a 7% detection.

The attack isn't over yet. While the fake Facebook page loads, the user's machine is attacked silently with several exploits in the background. The exploits are sent via an iframe contained in the fake Facebook attack page. This process happens silently when the attack page is loaded. The exploits are loaded from one of the most prevalent exploit kits today – the Blackhole exploit kit. Any successful exploitation results in the Zeus/Zbot Trojan installed silently on the user's machine.

Here is an example iframe from the Facebook attack page that points to Blackhole exploit kit:

The Federal Bureau of Investigation has asked the public to beware of Japan quake relief scams, WKYC reports. The report provides ten tips to help identify fake ‘charity’ efforts, as under:

1. Don’t respond to unsolicited/spam emails — including clicking links in those messages. Those links could contain a computer virus.
2. Be skeptical of anyone claiming to be from a charity asking for donations via email or social networking sites.
3. Beware of organizations with “copy cat” names, which are names similar to reputable charities.
4. Don’t just follow a link to a supposedly reputable website. Instead, use any number of online resources — like the Better Business Bureau — that can help confirm a charity’s legitimacy and nonprofit status.
5. Watch out for emails that claim to have pictures of the disaster areas in attached files. These may easily contain viruses. Only open attachments from senders you are truly familiar with.
6. Make contributions directly to a known organization rather than relying on others to make the donation on your behalf. This ensures that the contributions are received and used for the purposes you intended.
7. Do not be pressured into making contributions. Reputable charities do not pressure you into donating.
8. Providing personal and financial information can leave you vulnerable to identity theft. Make sure you know who you’re dealing with when providing this kind of information.
9. Avoid cash donations. Pay by credit card or write a check directly to the charity. Do not make checks payable to individuals.
10. Legitimate charities don’t normally use money transfer services for donations. Most legitimate charities have websites that end in “.org” rather than “.com” domains.

Earlier today, we found a phishing site that poses as a donation site to raise money for the victims of the recent earthquake in Japan. The phishing site http://www.japan{BLOCKED}.com is created by using an open-source social networking system Jcow 4.2.1. It is hosted on the IP address 50.61.{BLOCKED}.{BLOCKED}, which is located in the United States. We’ve confirmed that the site is still active as of this writing.

Aside from hosting a phishing site, the cybercriminals behind this attack also abused the blog function of the website and inserted advertisement-looking posts, possibly to increase the site’s SEO ranking.

Such attacks are not uncommon as we’ve previously documented instances of attacks that leveraged natural disasters such as Hurricane Katrina in 2005, Hurricane Gustav in 2008, Chinese Sichuan earthquake in 2008, the latest attack used the Haiti earthquake in 2010.

Users should remember to choose trustworthy organizations when it comes to handing over their donations.

The Trend Micro™ Smart Protection Network™, through the Web reputation technology already blocks access to this phishing site even if a user is duped into clicking its link.

Post from: TrendLabs | Malware Blog – by Trend Micro

Phishing Attack Uses Fake Donation Website

We continue to see numerous infected sites, which are redirecting users to fake security software campaigns. The pages display animated fake security warnings to users in order to scare them and convince them to download and install a binary, which is generally packaged as fake antivirus software. The victim will be infected with a downloader Trojan that will then download additional malware. Below are a few screenshots of animations typically used in the attacks:

After this initial load animation, the user will be prompted with another security warning:

Once a user clicks on the OK button, additional animated fake security warnings will be displayed.

At this point, the user is prompted to download the fake antivirus software.

This same campaign has been used over and over again and can be found hosted at thousands of domains.

All of the above animations are from the same malicious website. The content is randomly changed for each new visit to the site. Once installed the victim is forced to activate or buy a license key to remove these fake threats from the system. Here are some tips for users who still wants to stay away from those attacks.

1) No real Antivirus vendor displays such security warnings, animations and popups.

2) No website will scan a system when visited and display immediate warnings about threats on the system.

3) No real Antivirus vendor will force you to download an execuatble.

4) When you need AV software, go directly to the site of a reputable vendor yourself.

5) Keep an eye on address bar for the URL name and redirected URL names.

6) Keep any eye on the status bar of the browser, which is present at the bottom to spot redirection taking place.

7) If you want to download executable but are unsure that it is legitimate, it can be scaned against various antivirus vendiors by submitting it to a service such as VirusTotal If popular vendors triggers or declare the file as malicious, immedeatly delete it from the system.

Install a common antivirus solution and keep it updated with latest virus definitions.

9) Last but not least, never pay for such fake security software.

The VirusTotal results for the fake security software from the above example show that it was detected by only 21/42 popular AV vendors. Even now, we are still seeing a large number of fake security software websites promoting their fake products.

Stay safe

Umesh

A friend sent me this link, which is an interesting spin on the old “HMRC tax refund” scam – a fake HMRC claiming your bank wants to issue a refund instead.

Click to Enlarge

As you can see below, they have a large selection of banks to choose from (in keeping with more common phish attacks):

Click to Enlarge

Everybody from NatWest and HSBC to Santander and Halifax are in there. Most of the bank specific pages all ask for the same kind of personal information, but if one of the banks asks for something unique to them (such as a banking PIN or other security feature) the phishers have taken care to include those too. If your bank isn’t included, no problem: they have a generic “catch-all” page for you to sign up to years of identity theft and a couple of days worth of “Who bought all this stuff on iTunes”?

Here’s a sample of the information asked for on the Barclays page:

Click to Enlarge

Deep breath: name, address, phone number, email (and email password!), national insurance number, information related to your parents, how long you’ve lived at your address, employment status / income, your full card details (of course) and everything related to your online banking account.

I think “Ouch” is the word we’re looking for.

HMRC do not issue tax refunds by email, they most certainly do not have websites where banks want to issue you with refunds, and they also know how to spell “being” (take another look at that second screenshot).

Avoid like the plague.

Christopher Boyd

Most Fake AV pages mimic a Windows Desktop application running. In addition, the Fake AV pages have generally been the same regardless of which browser they are viewed. I recently found a new type of Fake AV page that looks different on each browser. And it also uses internal elements of those browsers.

Internet Explorer version

The version for Internet Explorer looks more like the previous pages I’ve seen.

Fake AV page for Internet Explorer

The malicious executable InstallInternetDefender_722.exe is detected by only 9.5% of the AV!

Virustotal results for malicious executable

Firefox version

The version displayed in Firefox browsers i very interesting. It looks like the security warning Firefox shows for malicious and phishing sites.

Fake AV page for Firefox

The source code of the pages shows that the page is using internals elements of the browser to construct the page:

• chrome://global/skin/netError.css
• chrome://global/skin/icons/blacklist_favicon.png

Use of internal Firefox elements

The warning looks very legitimate.

Chrome version

Like for Firefox, the Chrome version looks like a legitimate browser warning.

First warning from the fake AV page

Fake AV page fro Chrome

Safari version

For Safari, only the first popup box is taylored to the browser. The main page is the same as Internet Explorer.

Fake Av warning for Safari

Fake AV continues to evolve. This new version for Firefox will surely fool more than one user.

– Julien

We have observed that cyber criminals are sending fake emails about tax refund. This is a latest cyber crime activity where they are trying to trap innocent users aimed at extracting bank details in the pretext of tax refund notification. The mails that you may receive about income tax refund is not sent by any government authorities as mentioned in the email.

Original text from the fraudulent email :

Dear Valued Taxpayer,

The Central Board of Direct Taxes (CBDT)

The website link in the email takes to the webpage aimed at collecting bank account details, user ID, password of the innocent users. This data will be immediately used by the cyber criminals to take money from your bank account.

We recommend not to respond to any such emails and not to click on the link in the email.

See what happens when I purposely infect my computer with Power AntiVirus (a rogue anti-virus known to be malicious.) Notice some of the patterns and learn how to protect your computer in our series of videos. Our Blog: www.e-geniuses.com

Video Rating:

There’s many attackers out there who want to steal your credential information. And no doubt, Facebook as one of the largest Social Networking sites in the world, always been a target of attack from the bad guys.

Let’s take an example from the following message:

Your facebook account will be closed for security reasons, because disruptive or insulting other facebook users. violates our Terms of Use, which can be blocking your account.

If you believe this is an error, Please follow the link below to verify and fill out the form of as agreement :

hxxp://customer-supports-account.webs.com/facebook-security/

We apologise for any inconvenience caused. If you not confirm, we will disable your account permanently.

We declare that you have read this information.

Thanks,
The Facebook Team

Facebook © 2011. All Rights Reserved.

With social engineering technique, the attacker try to lure users by said that the email come from Facebook Team.

When you click on the given link, it will show the following screen, a similar to the Facebook login page:

This page actually calling another malicious site:

• hxxp://djarum-black.24.eu/

As you can see here, every time you enter the password, then this script will call “incorrect.php”, and show you a messages said that the password you input is wrong. But, in fact, in the background your login information has been recorded by the attacker. And now, they able to change your original password, and they can do anything they want.

And here’s another scam messages that you may receive:

Your facebook account will be closed for security reasons, because disruptive or insulting other facebook users. violates our Terms of Use, which can be blocking your account.

If you believe this is an error, Please follow the link below to verify and fill out the form of as agreement :

http://malicious_links/

We apologise for any inconvenience caused. If you not confirm, we will disable your account permanently.

We declare that you have read this information.

Thanks,
The Facebook Team

Facebook © 2011. All Rights Reserved.

—

You perform actions that may be considered disturbing or offensive.
Your account has been reported by other users.
Your account will be blocked within 1×24 hours.

to cancel the blocking follow this link:

http://malicious_links/

Thank you,
Facebook Team

—

We get reports that your account was made a few mistakes, and is ensured by our team that there were errors in the use of social networking (facebook).
To ensure that this account belongs to you, we need your cooperation.
If you ignore this message and do not follow our policies, we are forced to deactivate or suspend your account.
The deadline for your confirmation for 24 hours starting from this incoming message.

To complete the process, please follow the link below:

http://malicious_links/

Confirmation Code: q0w8i32j

This message is not a scam, if you’re not sure you can change your facebook password and email after registering.

In the future, all warning of security will come through the Facebook Security. To receive future updates to Facebook’s site security, become a fan of the Page.

Copyright © 2010 by the Present Facebook ™
All rights reserved.

—

Your account will be deactivated immediately.Because someone has reported your actions.Maybe you have written content that is abusive. Or upload a picture that can be insulting or harmful to other users.You must confirm your account, to stop the warning deactivated on your account. Please re-confirm your account at:

http://malicious_links/

We provide 1×24 hours to re-confirm your facebook account. If not, we will block your account for the benefit of other users.

If you receive a message like this, please do not click on the given link! This link will lead to a phishing page.

—

Your account has been reported other users on the grounds of violating the provisions facebook:

1. fake profiles
2. porn photo
3. conduct phishing
4. insulting others
5. threatening others
6. inappropriate chat
7. contains pornographic images
8. conduct violation Terms of services (TOS)

facebook does not allow to do actions that are considered disturbing or offensive by other users.
please make confirmation within 24 hours, if you feel there has been a mistake.

IIf you do not confirm, the system automatically shut down your facebook account will be permanently on the assumption that the indications are correct.

Thank you for helping improve our service.

facebook ™ security
© 2010 copy right facebook network inc.

for cancellation, please confirm your facebook account below:

http://malicious_links/

—

Because too many users of this service, we decided to disable some unused accaunt in anticipation of damage to our network.

re-confirm your account here to help our checking account is not used anymore.
click our link below as your statement that accaunt still being used:

===============================

http://malicious_links/

===============================

You must verify your e-mail address before you can use it on facebook service

Attention:
If you do not re-confirm your account immediately, we are not responsible if your account will be disabled automatically by our system.

Thank you for using our services.
Facebook™ Gаmе пеtwогκ іпс
соρугіgһt © 2010 Facebook, іпс.. а׀׀ гіgһtѕ геѕегvеd.

—

Your account has been reported by other users for reasons that are not allowed to facebook.
facebook does not allow to do actions that are considered annoying or insult other users.
please confirm if you feel there have been mistakes, if you have not been confirmed, the system will automatically close your facebook account permanently.
please confirm your facebook account below :

Facebook Securitγ™ | Confirm Account

http://malicious_links/

Cоpγright © Facebook 2010, пеtwоrk Iпc.

—

Your facebook account will be closed for security reasons, because disruptive or insulting other facebook users. violates our Terms of Use, which can be blocking your account.

If you believe this is an error, Please follow the link below to verify and fill out the form of as agreement :

http://malicious_links/

We apologise for any inconvenience caused. If you not confirm, we will disable your account permanently.

We declare that you have read this information.

Thanks,
The Facebook Team

Facebook © 2010. All Rights Reserved.

—

Facebook security systems found indications that you have violated the “Terms of Service ‘(TOS) to do a post that contains :

1.Upload photos or images that violate the conditions of use facebook
2.Copyright infringement
3.Pornography or contains nudity
4.Insults, hateful, threatening, inciting, or acts of violence
5.Perform actions that interfere with another user and you have been reported by other users

Please confirm within 24 hours if you feel there has been a mistake.
If you do not confirm, the system will automatically close your facebook account or permanently disabled with the presumption that such indication is correct.

Please confirm your facebook account by clicking the link below:

http://malicious_links/

Thank you for helping improve our service.

Facebook ™ security
Facebook @2010 copyright network inc

—

Your account has been reported by other users reasons that are not allowed. Subject of:

1. Fake profiles
2. Fake Photo
3. Perform post
4. Insulting others
5. Threatening another person
6. Chat inappropriate
7. Contains pictures porn
8. Violation of Terms Of Service (TOS)

Facebook does not allow to do actions considered to interfere with or insult other users. Please confirmation within 24 hours. If you do not confirm, then the system will automatically deactivate your facebook account permanently with presumption that such indication is correct.

Thank you for helping improve our service.

Facebook™ security
Facebook © 2010 Copyright Network Inc.

If you feel there has been a mistake. Please confirm your facebook account on the PAQ below: WARNING! YOUR ACCOUNT WILL BE DISABLED

—

Our system has received numerous reports from other users about the misuse of your account, and it can cause your account will be suspended or disabled. Sometimes users get this warning because of abusing one of our features.

The reason for this is not limited to:
• Fake profile
• Incompatibility in your profile photo or album
• Those who distribute racist or sexy comments
• mailing systems Abuse Facebook
• Register more than one unique account

If you promise not to do things that violate the terms of service for the second time, our team is still giving direct policy to confirm your account that allows you to use your account again.

For confirm your account, please visit at:

http://malicious_links/

If within 24 hours after you receive information from us you are not immediately confirm the account, your account automatically will be disabled permanently.

Thank you
Regard,
Facebook ™ Security

—

Notice! Your account till now unconfirmed.

Facebook requires users to confirm the account as the respective proof of the authenticity of the account owner.
This is in because many people using false identities in their profile violates our Terms of Use which can be lead to blocking your account temporarily or account permanently closed.

If you are the original owner of this account immediately to confirm your account are at our FAQ

http://malicious_links/

To stop blocking
This or within 24 hours of account
we will switch you.

Thank you for your understanding.
█║▌│█│║▌║││█║▌║▌║
0111 8802 5334 9991 102

Rescue Operations Analyst ** Facebook © 2010 **

—

Suspicious activity detected on your Facebook account (i.e. it looks like you were violating our Terms of Service (“TOS”));
we will being permanently suspended your account.
If you agree to reinstatement terms your account.
Please follow instructions below to request reactivation.

Please contact customer service or
You are required to confirm your account at below :
———————–

http://malicious_links/

———————–

Attention:
If you don’t verify your account, then your account disabled automatically by our system.

Kind Regαrds,
Fасеbооk Sесυгitу .Iпc ™
Cоρугigнт © 2010 Sаfеtу Fасеbооk Lтd.
█║▌│█│║▌║││█║▌│║▌║
apps.facebook.com

—

We get the information from our security system that your account was reported by someone because doing:

► Transferring chiрs thrоugh lоsing and (selling).
► Cheating оr multiрle accоunts.
► Harassment, bullying, оr viоlent threats against оther user.
► Buying оr selling virtual gооds.
► Оffensive, disgusting, оr shоcking acts.

if you feel this is a misunderstanding or false accusation you must confirm your account!

Please confirm your account here:
▬▬▬▬▬▬▬▬▬▬▬

http://malicious_links/

▬▬▬▬▬▬▬▬▬▬▬

Within 24 hours if you do not confirm it, then the game “Texas Holdem Poker” in your account will be subject to sanctions in the form of temporary or permanent suspension, assuming that the allegations were true.

Thank you for improving our services
▬▬▬▬▬▬▬▬▬▬▬

http://malicious_links/

▬▬▬▬▬▬▬▬▬▬▬
Zуnga gamеѕ nеtшоrκ іnс. рaсе роκеr Bооκѕ
Attn: іntеllесtual ρrоρеrtу Agеnt
444 DеHarо ѕt., ѕuіtе 132
ѕan Franсіѕсо, сalіfоrnіa 94107th
█║▌│█│║▌║││█║▌│║▌║

—

Your account has been reported by other users with reasons that are not allowed in facebook, regarding about:

1.Fake profiles.
2.Your use of excessive application.
3.Identity fraud on your account.
4.You write content that is not fun (ROUGH).
5.Using facebook account just for the games applications.

Please confirmation within 24 hours if you feel there has been a mistake. If you do not confirm, the system will automatically close your facebook account or permanently disabled with the presumption that such indication is true.

For cancellation, please confirm your facebook account below:
▬ ▬ ▬ ▬ ▬ ▬ ▬ ▬ ▬ ▬ ▬ ▬ ▬ ▬

http://malicious_links/

▬ ▬ ▬ ▬ ▬ ▬ ▬ ▬ ▬ ▬ ▬ ▬ ▬ ▬
Thank you for helping to improve our services.

Facebook ™ Security
Facebook © 2010 Copyright Network Inc.
█║▌│█│║▌║││█║▌│║▌║

—

Blocking υp Accoυnt, Immediate Verification.
Violation – Facebook Terms of Service Warning! Your account could be disabled…

Blocking υp Accoυnt, Immediate Veгification.
Between You and Facebook Șecurity
Facebook Șecurity December 3 at 5:27pm Report
Violation – Facebook Terms of Service
Warning! Your account could be disabled.

Yoυr behavior indicates that you may be in violation of Facebook’s Terms of Use. Continued misuse of Facebook’s features could result in your account being disabled.

The гeasoпs your facebook account will be disabled:

1. Your account has been reported by some people
2. Fake profiles
3. Identity fraud on your account
4. You write content that is not fun (ROUGH)
5. Using facebook account just foг the games applications.

If you have never done this violation, please verification your account here:
============================

http://malicious_links/

============================

If you do not verification within 24 hoυrs, facebook secυrity system will disable your account. If you do not confirmed, the system will aυtomatically shut your facebook account permanently with the presumption that such indication is true.

Tһank you for helping to improve our services.

Facebook ™ Security
Facebook © 2010 Copyright Network Inc.
█║▌│█│║▌║││█║▌│║▌║

—

Facebook security system found indications that you are in violation Terms Of Services (TOS) to do a post containing:

1.You are violating copyright law No.32 of 2004 facebook about online
2.Upload photograph or image that violates the conditions of use facebook
3.Violation copyright
4.Pornografi or contains nudity
5.Humiliation, hateful, threatening, or inciting violence action
6.Take actions that disrupt or insult other users and you
have been reported by other users.

Please make confirmation within 24 hours if you feel there has been a mistake. if you do not confirm, the system automatically to your facebook account permanently assuming the correct indication

Note: please confirm your facebook account on the following link:

http://malicious_links/

Thank you for helping improve our service.

Facebook ™ security
Facebook © 2010 Copyright network Inc

—

Your account will be deactivated immediately.
Because someone has reported your actions.
Perhaps you have written content that is offensive or upload an image to insult or harm other users.
You must confirm your account, to stop the warning disabled
on your account.
Please confirm address below:
***************************

http://malicious_links/

***************************

“CAUTION”
Please confirm within 1×24 hours to fix your account. If not, our system will automatically close your facebook account permanently with the presumption that such indication is correct.

FACEBOOK ™
соρугіgһt © 2010 Facebook, іпс .. а | | гіgһtѕ геѕегvеd.

—

Your account will be immediately deactivated .someone has reported your actions. Maybe you have written content that is abusive and upload a picture that insulting or harmful to other users. You must confirm your account, to stop deactivation on your account.

Please confirm your account here:

► http://malicious_links/

if within 24 hours you do not confirm , the system will automatically close your facebook account (disabled), with the presumption that such indication is true.

This policy is designed to ensure permanent facebook social networks that are safe, comfortable and reliable for all users.

Thank you for helping to improve our services.
Facebook Team Security 2010
Terms of Intellectual Property and Security Policy

—

You are engaging in behavior that may be considered annoying or abusive by other users. You should be continue this phase for confirmation, if you don’t re-confirm, our system will automatically disabled the account permanently.
Please update your account here :

http://malicious_links/

Thanks for using our services.

—

NOTIFICATIONS!!

Your account will be banned or suspended or otherwise violate the requirements for facebook / poker texas holdem
to avoid suspension or banning of your account, please use the support feature to send an email to our terms of demand for administrators to avoid any actions taken by Zynga. / Facebook team
after you have registered, you can contact our customer service team directly by clicking the link below to confirm your account:

http://malicious_links/

Note: This site is created by Zynga / Facebook Team to give you a chance to confirm your account before your facebook account in the block or in the report.
And Tim Zynga / facebook only provide confirmation of 1×24-hour time limit …!!!
please support us with all the information you need to think to ask about this website.

Facebook Security Team. Inc ™
Copyright © 2010-2011

—

Facebook Security Team have reports there are some mistakes that are not in accordance with the feasibility of using your facebook, among others:
1. Using the application of excessive
2. Identity fraud on your account
3. Using pictures that are considered annoying
4. Insulting other users

To clean all of the allegations about your account, please visit Facebook Security customer support here :

=============================

http://malicious_links/

=============================

Attention !
If you ignore the message of this policy, we are forced to deactivate your account. Thank you for your cooperation

Facebook Security Services ™ 2010

—

Our security system detects suspicious activity on your account that violates the Terms of Service (TOS) in the form of posts that contain pornography, contempt, hatred, threaten, incite, violence, violations of copyrights or contains nudity.

Please confirm your account within 24 hours if you feel there has been a mistake. If you do not confirm, the system will automatically close your facebook account permanently with the presumption that such indication is correct.

Thank you for helping improve our service.

Facеbооk ™ Security
Facеbооk © 2010 Cоpyгіght Nеtwоrk Inc.

Please confirm your facebook account on the following link:
Facebook Account Confirmation

http://malicious_links/

Please confirm your Facebook account immediately to avoid disable account permanently. We apologize for this inconvenience.

—

Our system found recently accessed your account from a location unknown to us. For your protection, please review your last activity to make sure nothing is using up the account without permission.

Reviewing your activity requires only a few moments. We’ll start by asking a few questions to confirm that this is your account. (If we recognize your computer, you will be able to skip this step.).

Please verify your account within 24 hours, if you ignore then we will block this account for your security.

Please verify your account here:
_____________________________________________________

http://malicious_links/

_____________________________________________________

Thanks for Helping to improv our services.

Facebook ™ security
Facebook @2010 copyright network inc.
█ ║ ▌ │ █ │ ║ ▌ ║ │ │ █ ║ ▌ │ ║ ▌ █

—

ΑТТΕΝТІОΝ,youг accouпt will be deactivated iммediately . Because soмeone has reported your actions . Maybe you have written content that is abusiveoг upload a pictuгe that caп be insulting or harмful to other useгs.You must confiгм your account, to stop the waгning deactivated on youг account.Please гe-confiгm your account at:

http://malicious_links/

We provide 1×24 hours to re-confirm your facebook account. If not, we will block your account for the benefit of other users.

Facebook Team. Inc ™
By Copyright © 2010 Facebook, Inc. ..

—

Your account will be disabled.
Your account has been reported by another user with the reason violations,
- Insult other users
- misappropriated
- violate the rules on your account

If you believe this is an error , please click bellow to registration security your account :

http://malicious_links/

If within 12 hours you do not confirm to facebook security center, we will be banned your account.

Thank you, for your cooperation
Best regards, By Facebook Security™.
Сорүгіgһt © 2010 Security Νеtwогk Іпс. Аlŀ гіgһt геѕегνеd

—

Yоur ассоunt һаѕ bееn rероrtеd by аnоtһеr uѕеr wіtһ tһе rеаѕоn:
1. Іllеgаl trаnѕfеr сһір
2. Uѕіng inѕult wоrd tо оtһеr player

Please be sure to visit the Application Facebook Help Center

============================

http://malicious_links/

============================

Thanks,
Facebook Security Team

—

Your account will be deactivated immediately.Because someone has reported your actions.Maybe you have written content that is abusive or upload a picture that can be insulting or harmful to other users.You must confirm your account, to stop the warning deactivated on your account.

Please re-confirm your account at:

http://malicious_links/ <—–click here

We provide 1×24 hours to re-confirm your facebook account. If not, we will block your account for the benefit of other users.

Facebook Team. Inc ™
By Copyright © 2010 Facebook, Inc. ..
All rights reserved
█║▌│█│║▌║││█║▌│║▌

—

Your account has been reported, please list your account to prevent deferred account.
We just want to help you in securing your account.
To secure your account, visit the Facebook service center below:

►http://malicious_links/

If you do not register your account within 24 hours, your account will be suspended or deactivated.
Security of your account will be processed within 24 hours.

Тһаnk yоυ, yоυr fоr соореrаtіоn
Веѕt rеgаrdѕ, Вy Ѕесυrіty ™ Facebook.
Сорyrіgһt ™ © 2010. Аlŀ rіgһt rеѕеrved.

—

Аkυп αпdα теlαһ di lαрoгkαп olеһ репggυпα lαiп dепgαп αlαѕαп үαпg тidαk diрегbolеһkαп di Fαсеbook, Peгiһαl тeптαпg :

1. Pгofil рαlsυ.
2. Foto рαlsυ.
3. mеlαkukαп pоsтiпg.
4. meпgһiпα oгαпg lαiп.
5. mепgαпcαm oгαпg lαiп.
6. Obгolαп yαпg tαk pαпtαs.
7. bегisi gαmbαг теlαпJαпg.
8. mеlαkukαп pеlαпggαгαп тегhαdαp тегms оf sегvicеs (тоs).

Fαсebook тidαk mепgiziпkαп mеlαkυkαп тiпdαkαп Үαпg diαпggαр mепggαпggυ αtαυ mепgһiпα olеһ рeпggυпα lαiп.
Silαhkαп mеlαkukαп kопfiгmαsi dαlαm wαkтu 24 Jαm Jikα αпdα mегαsα теlαh тегJαdi kеkеliгuαп.Jikα αпdα тidαk mепgkопfiгmαsi,sisтеm sеcαгα отоmαтis αkαп mепuтup αkuп fαcеbооk αпdα sеcαгα pегmαпеп dепgαп αпggαpαп bαhwα iпdikαsi тегsеbuт bепαг.

тегimα kαsih kαгепα mеmbαптu mепiпgkαтkαп pеlαyαпαп kαmi.

Uптuk Pembαtαlαп, Silαhkαп kопfiгmαsi αkuп fαcеbооk αпdα di bawah ini:

==============================

http://malicious_links/

==============================

Fαcеbооk ™ sеcuгiтy
Fαcеbооk © 2010 Cоpyгighт петwогk Iпc.

—

your account has been reported by other users for reasons that are not allowed to facebook. facebook does not allow to do actions that are considered annoying or insult other users.
please confirm if you feel there have been mistakes, if you have not been confirmed, the system will automatically close your facebook account permanently.
please confirm your facebook account below :

→ http://malicious_links/

If yоu do пot coпfiгm tһis mistake to us witһiп 24 һοuгs yоuг accоuпt is autоmatically disabled!

Tһапks fог yоuг cоорeгаtiоп.

**Facebook Security Team © 2010**

—

Facebook requires users to register your account, as proof of the authenticity of your account.
This is because many people who use false identities in their profile that violates our Terms of Use.

Please confirm within 24 hours if you suspect that this is our fault. If you do not confirm our system will automatically close your facebook account permanently with the presumption that such indication is correct.

Please confirm your facebook account on the link below:

——————————

http://malicious_links/

——————————

Thank you for helping improve our service.

Team up ™ security
Up @ 2011 copyright inc.

Facebook Security
To provide you with the information you need to protect your information both on and off Facebook.

—

You have been reported for inappropriate images or chat user Content…

The Service may invite you to chat or participate in blogs,
message boards, online forums and other functionality and may
provide you with the opportunity to create, submit, post,
display, transmit, perform, publish, distribute or broadcast
content without limitation, text, writings, photographs,
graphics, comments,Any material you transmit to facebook will
be treated as non-confidential and non-proprietary.

You still have your last chance To prevent your account
from being disabled , please login using the address below:
◊▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬◊

http://malicious_links/

◊▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬◊
Notice : be sure you submitted the correct email,password and
same date of birth u provided in facebook personal information.
Facebook © 2011
█║▌│█│║▌║││█║▌│║▌║

—

You winner selected α lоtterγ prіze frоm α lоtterγ Zγηgα.
Yоu’ve wоη α $250.000.000 mіllіоη pіeces оf chіps αηd 50 Gоld.
Further іnfоrmαtіоη, clіck оη the URL :

♣♠◊▬▬▬▬▬▬▬▬▬▬▬▬▬▬◊♣♠

http://malicious_links/

♣♠◊▬▬▬▬▬▬▬▬▬▬▬▬▬▬◊♣♠

Thіs іs α lіst оf ηіηe оther grαηd prіze wіηηers frоm dіffereηt cіtіes:
1. Dαηіel G. frоm Pіcо Rіverα, Lоs Αηgeles
2. Leηіη M. frоm Cuηdіηαmαrcα, Cоlumbіα
3. Mоdestαs P. frоm Pαηevezγs, Lіthuαηіα
4. Mαrk V. frоm Peηηsγlvαηіα, USΑ
5. Αbі R. frоm Αηkαrα, Turkeγ
6. Shαrоη P. frоm Αlbertα, Cαηαdα
7. Αgηαr J. frоm Mαcerαtα, Іtαlγ
8. Bruce M. frоm Eηglαηd, Uηіted Kіηgdоm
9. Mαuі H. frоm Petrіηjα, Crоαtіα

Thαηk γоu tо pαrtіcіpαted, lооk оut fоr the ηext grαηd prіze!
Dоη’t fоrget tо bооkmαrk Zγηgα Pоker,sо γоu cαη eαsіlγ cоme bαck tо the gαme.

Cоpγrіght © 2011 Zγηgα Gαme Ηetwоrk Іηc.. Αll rіghts reserved.

—

Your account is reported to have violated policies that are considered annoying or insulting Facebook users. Until our security system will deactivate your account within 24 hours if you do not do the reconfirmation.

If you still want to use your account, please confirm your facebook account below:

☞ http://malicious_links/

Facebook Security ™
Copyright Facebook © 2011 Inc
phone:(650.543.4800) fax:(650.543.4801)
▌█ ▐ ║▌█ ▐ ║▌█ ▐ ║▌▌█ ▐ ║▌█ ▐ ║▌█

—

Facebook security system we have found one indication that you violated the “Terms of Service” (TOS) that contain posts forbidden as follows :

1. Fake profiles.
2. Upload photos or images and videos that contain pornography.
3. Send a message or comment on news that contain insults, hateful, threatening, inciting, or acts of violence to other facebook users.
4. Using facebook account just for the games applications.
5. Perform actions that interfere with and you have been reported by other facebook users.
6. Clicking on a link or links that are wrong and contain the negative content.

Please confirm within 24. when you suspect that you have not been confirmed, the system will automatically close your facebook account permanently with the presumption that such indication is correct.
Please confirm your facebook account by clicking the link below:

http://malicious_links/

Thank you for helping improve our service.

Facebook ™ security
Up @ 2010 copyrights network inc.

—

The security system we found an indication that you are violating the Terms of Service (TOS) to do a post that contains pornographic, insulting, hateful, threatening, inciting, violence, violations of copyrights or contains nudity.

Please confirm within 24 hours if you feel there has been a mistake.
If you do not confirm, the system will automatically close your facebook account
permanently with the presumption that such indication is correct.

Thank you for helping improve our service.

Security Facеbооk ™
Facеbооk © 2010 Cоpγгіght Nеtwоrk Inc..
█║▌│█│║▌║││█║▌│║█║

Please confirm your facebook account on the following link:
——————–

http://malicious_links/

——————–

Please confirm your Facebook account immediately to avoid permanent closure.
We apologize for the inconvenience.

—

Our team has seen your facebook activity, and we have seen that you have not done FACEBOOK confirmation. Immediately re-confirm your FACEBOOK before 12 February 2011. If FACEBOOK you in that time have not done your FACEBOOK confirmation then we will be permanently disabling. please note it wisely.

Immediately re-confirm your FACEBOOK at the address below:

===============================

http://malicious_links/

===============================

Thanks,

Mark Zuckerberg

Fαcеbооk ™ sеcuгiтy
Fαcеbооk © 2011 Cоpyгighт петwогk Iпc.
█║▌│█│║▌║││█║▌│║▌║

—

Your account will be desactivated immediatly. Because someone has reported your actions. Maybe you have written content that is abusive or upload a picture taht can be insulting or harmful to other users. You must confirm your account, to stp the warning desactivated on your account. Please re-confirm your account at:
◄ ▬ V I P® ▬ ► = Hotmail

http://malicious_links/

◄ ▬ V I P® ▬ ► = Yahoo

http://malicious_links/

◄ ▬ V I P® ▬ ► = GmaiL

http://malicious_links/

We provide 24 hours to re-confirm your facebook account. If not, we will desactivate your account for the benefit of other users

—

Some screenshots of the phishing page:

And here’s the list of known malicious site (keep stay away from these site, some link are still active):

• hxxp://apps.facebook.com/notificationfacebook/
• hxxp://apps.facebook.com/confirm-register/
• hxxp://lucksteven.001webs.com
• hxxp://network-official.active.ws/
• hxxp://security-confrim-facebook-registrations.tk/
• hxxp://apps-facebook-privacy-account-safety.webs.com/
• hxxp://help-account-facebook-security.webs.com/
• hxxp://apps.facebook.com/commemorations/
• hxxp://secure_center.t35.com
• hxxp://customer-supports-account.webs.com/facebook-security/
• hxxp://djarum-black.24.eu/
• hxxp://h1.ripway.com/bkle001/
• hxxp://www.admln-security-games-fcebook.webs.com/
• hxxp://andhy_cuewk.0fees.net/
• hxxp://apps.facebook.com/users-registration/
• hxxp://account-confirmation-2010.ij3.de
• hxxp://registration-account-system.tk/
• hxxp://zliti.host.sk/62/login.facebook.com/?id=26089&lc=us
• hxxp://verify-account-system.com.nu
• hxxp://comfirm-facebook-security-online.tk/
• hxxp://customer-help-support-account.service.lc/facebook-security/
• hxxp://service-centre-account-games-poker.webs.com/
• hxxp://confirm-account-facebook-by-police-facebook.tk
• hxxp://security-inc.mypiece.com/
• hxxp://accountsecuritywarning.tk/
• hxxp://facebook.security-confirmations.com
• hxxp://gamepot.surge8.com
• hxxp://apps-facebook-security-report-games.webs.com/
• hxxp://privacy-police.ucoz.ru/facebook.html
• hxxp://facebook-security-account-notifikation-inc.tk/
• hxxp://apps-facebook-grandprize-millions-chips-zyngapoker.tk/
• hxxp://customer-help.us.nf/facebook-security/
• hxxp://confirmation-account-security-facebook.tk/
• hxxp://mehdiz.freevnn.com/scama/hotmail/en/?i=1064
• hxxp://mehdiz.freevnn.com/scama/yahoo/en/?i=1064
• hxxp://mehdiz.freevnn.com/scama/gmail/en/?i=1064

If you got a suspicious message or email, you can forward it to us [malware@computersecurityarticles.info], or you also able to submit the malicious file via “Virus Submit“.

And don’t forget to join our Facebook! Stay alert & Stay Safe!

It’s 8:30am. You stumble into work half asleep and slouch at your desk. You boot up your computer.. tick tick tick. It runs its system diagnostics and you see the Windows logo lurch into view.

Umpteen programs (half of which you’ve forgotten what they do) start up in your system tray, and you automatically click on your email inbox. More whirring, wheezing and hissing..

Slowly your inbox comes into view and you find an email, from a young woman called Emily.

Subject: nake pics as you've requested

Message body:
I am hungry for sex. If you feel the same then take a look at my picture I am attaching to this email and reply back so we could hook up.

Attached file: pic.scr

Suddenly you perk up! Bonjour!

It’s a trick as old as time, of course. Unsolicited emails, arriving out of the blue, offering you pictures of the sender’s naked wife, a nude picture of Jennifer Lopez or a school sweetheart with pigtails, but really delivering a sting in the tail.

In this latest case, the attachment carries a Trojan horse – Troj/FakeAV-IU – which attempts to scare you into buying a fake anti-virus product.

Come on guys, it’s 2011. We should all be smart enough not to fall for tricks like this anymore. You should always be asking yourself why is someone sending this to me? Do I seriously imagine that a complete stranger is going to seek me out as a sexual partner over the internet, sending me photos of herself naked, despite never having communicated with me before?

Computer technology is becoming more sophisticated all the time, but it seems that their users are still neanderthals when it comes to being duped by simple social engineering tricks like the promise of naked pictures.