Computer Security Articles

The wave of  United Parcel Service, DHL Global and Post Express Office spam – which has been so prolific and leading to scareware infections – changed to Bobijou Inc. over the Easter weekend.

However, the first batch sent out was flawed. As you can see below, the file attached has a “.dat” extension.

The mistake was rectified on Monday, with a proper zipped attachment:

One extracted the file looks like a PDF document. but is in fact an executable:

Detection rates are not bad, although leading AV vendors still let it get through to the Inbox.

Bobijou is a famous British pearl jewellery brand. I wonder why pick on a jeweler? Is it because of the upcoming Royal Wedding?

Jerome Segura

Previously we have written about the “i got u surprise” spam trojan on Facebook. And today, we still discovered another variant. This time, the message that is received by the victim is only “u?” and followed by a link, with the subject is “Hello“.

When the link is clicked, will lead to the following address:

• http://photo-album-#####.##/

The site only contains a message “Download photoalbum“, which is a link to the trojan file.

Just like previous variants, when executed, it will send the same spam message to every friend on Facebook. The data that is used for spam are obtained by querying their C&C servers, this time located at ddk100.com, which is previously located at ddk1000.org.

After decoding, we get:

1000|60000|Hello|u?
[http://goo.gl/Slqcr|http://goo.gl/QL5pE|http://goo.gl/FEUHe|http://goo.gl/4ol7i|

http://goo.gl/uvKBq|http://goo.gl/9TC4b|http://goo.gl/Si0jK|http://goo.gl/DcpVL|

http://goo.gl/mxcsM|http://goo.gl/vDFeS|http://goo.gl/5pHda|http://goo.gl/NagRi|

http://goo.gl/l7vbA|http://goo.gl/CC7kk|http://goo.gl/5uoiD|http://goo.gl/6vALZ|

http://goo.gl/ucVv8|http://goo.gl/L62bA|http://goo.gl/Rf6iM|http://goo.gl/TuHXw|

http://goo.gl/VWMUT]

Another interesting thing is, this malware able to create a dummy blog at Blogger.com, and then make the short URL of it using “goo.gl“, automatically. This blog created shortly after the victim login into their Google account. Then, the newly created blog URL and the short URL will be sent back into their C&C servers. The blog is just will be set as a redirector that will direct the victim to the malicious site that contains malware, by changing the blog template to load the address designated by “url.js”.

If you get a message that contains one of these links, please do not click!:

• hxxp://goo.gl/Slqcr
• hxxp://goo.gl/QL5pE
• hxxp://goo.gl/FEUHe
• hxxp://goo.gl/4ol7i
• hxxp://goo.gl/uvKBq
• hxxp://goo.gl/9TC4b
• hxxp://goo.gl/Si0jK
• hxxp://goo.gl/DcpVL
• hxxp://goo.gl/mxcsM
• hxxp://goo.gl/vDFeS
• hxxp://goo.gl/5pHda
• hxxp://goo.gl/NagRi
• hxxp://goo.gl/l7vbA
• hxxp://goo.gl/CC7kk
• hxxp://goo.gl/5uoiD
• hxxp://goo.gl/6vALZ
• hxxp://goo.gl/ucVv8
• hxxp://goo.gl/L62bA
• hxxp://goo.gl/Rf6iM
• hxxp://goo.gl/TuHXw
• hxxp://goo.gl/VWMUT
• hxxp://wpiulfcwa.blogspot.com/
• hxxp://kstxmjqgk.blogspot.com/
• hxxp://piajetqxo.blogspot.com/
• hxxp://lqehqblph.blogspot.com/
• hxxp://gtffwnzra.blogspot.com/
• hxxp://tcjibfezs.blogspot.com/
• hxxp://rxlabkufg.blogspot.com/
• hxxp://wydqfrnnd.blogspot.com/
• hxxp://dkrvrvhfr.blogspot.com/
• hxxp://sqpdtvhqi.blogspot.com/
• hxxp://vqujlkgco.blogspot.com/
• hxxp://balpfvhmc.blogspot.com/
• hxxp://cqfupksry.blogspot.com/
• hxxp://ahvrmdfky.blogspot.com/
• hxxp://lyglmonpx.blogspot.com/
• hxxp://acyzqudbo.blogspot.com/
• hxxp://nhbqcsrjz.blogspot.com/
• hxxp://dagmajmtr.blogspot.com/
• hxxp://fyjdppbyb.blogspot.com/
• hxxp://txghihpgs.blogspot.com/
• hxxp://oexfnbpuj.blogspot.com/

Emsisoft Anti-Malware detects the threat as a Trojan-Downloader.Win32.FraudLoad. At the time of writing this article, the detection rates are still low, only 14/41:

Join our Emsisoft Facebook page, and don’t forget to follow our Twitter to keep you stay update.

Users of Sony’s PlayStation Network are at risk of identity theft after hackers broke into the system, and accessed the personal information of videogame players.

The implications of the hack, which resulted in the service being offline since last week, are only now becoming clear as Sony has confirmed that the hackers, who broke into the system between April 17th and April 19th, were able to access the personal data of online gamers.

In a blog post, Sony warns that hackers have been able to access a variety of personal information belonging to users including:

* Name
* Address (city, state, zip code)
* Country
* Email address
* Date of birth
* PlayStation Network/Qriocity password and login
* Handle/PSN online ID

In addition, Sony warns that profile information – such as your history of past purchases and billing address, as well as the “secret answers” you may have given Sony for password security may also have been obtained.

As if that wasn’t bad enough, Sony admits that it cannot rule out the possibility that credit card information may also have been compromised:

While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.

The fact that credit card details, used on the network to buy games, movies and music, may also have been stolen is obviously very worrying, and affected users would be wise to keep a keen eye on their credit card statements for unexpected transactions. Questions clearly have to be asked as to whether Sony was ignorant of PCI data security standards and storing this and other personal data in an unencrypted format.

So how could hackers exploit the information stolen from the Sony PlayStation Network?

1. Break into your other online accounts. We know that many people use the same password on multiple websites. So if your password was stolen from the Sony PlayStation Network, it could then be used to unlock many other online accounts – and potentially cause a bigger problem for you.

So you should always use unique passwords.

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

Oh, and you better be sure that you have changed your “secret answers” too.

2. Email you phishing scams or malware attacks. If they stole your email address from Sony, they can now email you. And it wouldn’t be difficult for the cybercriminals to create an email which pretended to be a legitimate organisation (perhaps Sony themselves?) to steal more information or carried a Trojan horse designed to infect your computer. The fact that they know your name and snail-mail address could make the email even more convincing.

3. Hit you in the wallet. If your credit card details have been exposed by the Sony PlayStation Network hack then you could find fraudsters begin to make purchases from your account – if you notice that money is missing, you’ll have to go through the rigmarole of claiming the money back from your credit card company.

This security breach is not just a public relations disaster for Sony, it’s a very real danger for its many users.

If you’re a user of Sony’s PlayStation Network now isn’t the time to sit back on your sofa and do nothing. You need to act now to minimise the chances that your identity and bank account becomes a casualty following this hack.

That means, changing your passwords, auditing your other accounts, and considering whether you should keep a closer eye on those credit card statements or simply telling your bank that as far as you’re concerned the card is now compromised.

More information can be found in Sony’s blog post.

The Love Bug. I LOVE YOU. LoveLetter. All different names for one of the world’s most famous viruses, which spread around the globe in May 2000, infecting millions of computers and clogging up email systems.

If you have an interest in IT and were around at the time, you’ll surely remember it. But if you don’t, you can quickly catch up by checking out my memories of those crazy days.

So what can possibly be new to say about the Love Bug? Well, on Friday a movie inspired by the malware will be getting its world premiere.

I first wrote about “Subject: I Love You” way back in November 2008, but now it’s finally seeing the light of day – at 5pm on Friday 30th April, at the Newport Beach Film Festival in California.

And here is its trailer:

It certainly looks professionally done, and has some not entirely unfamiliar actors (Briana Evigan plays the female lead, ex-Superman Dean Cain has a role, and True Blood’s Kristin Bauer also features).

Want more information about the movie? Here’s the promotional puff:

This action-packed romantic drama is based on the destructive ‘I Love You’ computer virus. This virus spread around the globe at the turn of the millennium, shutting down computer systems at the Pentagon, Parliament and the CIA. For Victor he will do anything to reconnect with the only woman he’s ever loved – even if that means entangling himself in an international criminal investigation. Never have the words “I love you” almost ruined the world.

It sounds like your usual story of “Boy meets girl. Loses girl. Writes computer virus to infect millions of computers around the world to tell girl he loves her. Gets girl.” Nothing out the ordinary there then..

Inspired by true events? Hmm.. well, not with the greatest precision. The real Love Bug wasn’t written to impress a girl, but instead attempted to steal internet passwords. One wonders also if the film’s producers will engage in any err.. viral marketing to promote it.

I don’t want to come across as too much of a fuddy-duddy, but let’s hope the movie doesn’t glorify too much the creation of malware. Even in the days of the Love Bug it was a problem which could have a serious impact on businesses and home users.

If you’re able to get to the movie premiere and see “Subject: I Love You” why not leave a comment with your review of the film?

Kian Egan, a singer with the Irish boyband Westlife, has been forced to deny that he is leaving the chart-topping pop group after statements were posted on his Twitter account.

Egan had over 60,000 followers on Twitter, and the news would surely have plucked the heartstrings of his many young female fans:

it took my a very long time to come to this conclusion. I have had an amazing 12 years with the boys and wish them the best of luck in the future. The boys are going to continue as a three piece.

Egan claims, however, that the tweets were posted by a hacker who compromised his @KianEganWL account, which has subsequently been suspended.

He took to the Twitter account of his singer/actress wife Jodi Albert to blame a hacker for the posts announcing his retirement from Westlife.

@JodiWonderland
Jodi Albert
Hi Everyone Kian here on Jodi's account. I am NOT Leaving Westlife. Someone has hacked into my account. Trying to sort out my account now. X
April 22, 2011 7:28 pm via webReplyRetweetFavorite

Famous figures who have fallen victim to a Twitter hack in the past include Ashton Kutcher, Lil Wayne, Axl Rose, Britney Spears and plummy-voiced British TV property crumpet Kirsty Allsopp.

Even publications like the New York Times and humourous phenomenon ShitMyDadSays have fallen foul of hackers on Twitter.

It’s worth bearing in mind, however, that sometimes celebrities might have claimed to have been hacked on Twitter when in fact it’s quite possibly not true.

But if we take Kian Egan at his word, and believe that he was indeed hacked on Twitter, then he would be wise to take steps now to prevent it from happening again.

Remember, you should always choose a non-dictionary word that’s hard to guess as your Twitter password, and never use the same password on multiple websites.

Here’s a video where I describe how to choose a stronger password. Unfortunately it’s not like a Westlife video, as I don’t step up from my stool and make a dramatic key change towards the end..

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

Also, be on your guard against phishing sites and ensure that your computer is running up-to-date anti-virus software to protect against keylogging spyware which may attempt to steal your information.

Finally, consider carefully which third-party applications and websites you allow to connect with your Twitter account.

The revolutions spreading across the Arab world have grabbed the attention of people across the globe, including cybercriminals: so-called ‘Nigerian’ spam emails have recently appeared claiming to be from a variety of “relatives” of Gaddafi and Mubarak. There’s absolutely nothing new about the messages they send: the ‘Nigerians’ don’t always introduce themselves as the solicitor of some anonymous oil tycoon or a dying widow of an innocent civil servant who was murdered; increasingly, they are legally-appointed executors or relatives of well-known people who have suffered in one way or other at the hands of political opponents.

For instance, some time ago we received an email from an Olga Patarkatsiashvili who wrote in poor English asking to help her transfer the millions of the late Badri Patarkatsiashvili (a Georgian businessman and presidential candidate who died in 2008), emphasizing that she herself has been denied access to his funds. Following the wave of protests affecting Arab countries there has been a steady stream of Egyptian- and Libyan-themed ‘Nigerian’ spam.

A certain Barrister Alexander James Williams, who claims to be a representative of Hosni Mubarak, asks for help in transferring 29 million pounds. He claims that a UK resident is required to process the transaction, but the email was sent to a Russian resident who has an account with the Russian email service mail.ru.

The legal firm Galadari and Associates based in Dubai and supposedly representing Hosni Mubarak’s son asks for help in transferring US$145 million (suggesting the son is considerably richer than his father). Notably, Galadari and Associates “have studied your profile and know your position”, and are therefore quite sure that the transaction will be a success.

In the third email from “the personal account officer of Hosni Mubarak”, the amount of money is not stated, though the message is the same: please help to transfer funds – we cannot do it ourselves because of the revolution.

Emails from the family members of alleged victims have also come from Libya. Here is an email supposedly written by the “son” of Muammar Gaddafi who says his name is Saif al-Islam Al-Gaddafi. Together with his father they have decided to transfer their funds abroad “before the crisis get more worse”. So, you are welcome to help the president’s son “if you are interested and willing”!

Moussa Koussa, Libya’s ex-minister of foreign affairs, does not state his purpose directly. He simply asks the recipient for help, obviously hoping to get someone’s attention and enter into correspondence and will most likely inform the interested partner the amount of money later. However, the address in the “From” field is a bit strange and looks as if the sender has forgotten to change it after a previous spam mailing.

Of course, the Internet is awash with such messages, with the number of references to the senders’ biographies as well as the number of mistakes varying from message to message. If nothing else, the criminals have once again demonstrated how quickly and flexibly they can react to the latest news – they simply modify their templates to suit the latest events, increasing the chances of someone falling for their scams.

So, while pseudo-benefactors collect funds for earthquake victims in Japan, those behind the ‘Nigerians’ letters are transferring millions of dollars from Hosni Mubarak and Muammar Gaddafi’s bank accounts.

In a bizarre and hard-to-understand move, a Facebook page which claims it helped countless Facebook members stay safe online on the social network has been shut down… by Facebook.

The Bulldog Estate is one of a number of different resources on the internet dealing with the subject of Facebook scams, rogue applications, and the like. Other examples include Scam Sniper, FaceCrooks and Sophos’s own Facebook community.

On Monday 18th April, the Facebook page belonging to Scam Sniper was shut down by Facebook authorities:

@ScamSniper
Scam Sniper
Notice: The Sniper Has Been Shot. Facebook Disables The Admins Of The Facebook Fan Page Scam Sniper. http://goo.gl/RdlVF
April 18, 2011 3:26 pm via webReplyRetweetFavorite

Later that day, the same fate befell The Bulldog Estate’s Facebook presence, leading the scam-exposing site to say that Facebook had made a bad PR move:

@bulldognk
The BULLDOG Estate
The BULLDOG Estate Facebook Page Has been Closed by Facebook, They Dont Like bad press, Watch… http://goo.gl/fb/K3ODY
April 18, 2011 11:42 pm via GoogleReplyRetweetFavorite

The Scam Sniper Facebook page was eventually restored, but Tony Mazan, the owner of The Bulldog Estate, hasn’t had the same luck.

Mazan has been contacting Facebook since Monday attempting to understand why The Bulldog Estate’s Facebook page was closed, and how it might be recovered.

Today Mazan received a standard response from Facebook, which still wasn’t specific about the reasons that The Bulldog Estate’s Facebook presence had been killed off:

"Hi Tony

You created a Page that has violated our Statement of Rights and Responsibilities, and this Page has been removed. Facebook Pages may only be set up for the purpose of promoting a business or other commercial, political, or charitable organization or endeavor (including non-profit organizations, political campaigns, bands and celebrities), and only by an authorized representative of the entity or individual that is the subject of the Facebook Page. By creating a Facebook Page, you represent and warrant that you are authorized to do so by the person or entity that is the subject of the Facebook Page. Among other violations, Pages that are hateful, threatening, or obscene are not allowed. We also take down Pages that attack an individual or group or that promote or glorify violence, intolerance, racism or discrimination. Continued misuse of Facebook's features could result in your account being disabled."

This “explanation” clearly hasn’t satisfied the many fans of The Bulldog Estate, who have created pages urging Facebook to reinstate The Bulldog Estate, and left messages on Facebook’s official safety pages.

“We helped countless members on Facebook and supported Facebook in trying to help Facebook users stay safe online, We do not advertise or make money from our help, our blog writers are volunteers, and our admins are volunteers,” Tony Mazan of The Bulldog Estate told Naked Security. “What we can not understand is why Facebook removed a real help group and yet there are thousands of rogue applications, thousands of hate filled pages, thousand of fake profiles. We are as real as it gets and get shut down.”

“Is it because Facebook security never gets comments like ‘We Love you’ or ‘thanks for always alerting us on time with user-friendly information’,” continued Mazan. “As one of our supporters said – you may shut the dog outside, but you will never silence the bark.”

Although the language used on The Bulldog Estate’s website doesn’t beat around the bush, it seems clear to me that the content they produce is beneficial and helps Facebook users avoid scams and other attacks.

Maybe Facebook needs to be a little less robotic in its shutdown of this scam-exposing community, and could work a little more closely with Tony Mazan and his colleagues to bring what is a helpful resource for its users?

Update: The Bulldog Estate reports that its Facebook page has now been restored, and that Facebook has apologised for its mistake.

At some point in your life, one or several of the Facebook scams out there might affect you enough to look for ways on how to report them and go on a vendetta rampage against the scam creator.  In fact, one of the most effective tools against the prolific scammers on Facebook is to report their rogue applications, fake events, wall postings, etc. If enough people take the time to report the Facebook scam, then hopefully, eventually, Facebook will take action and shut them down! 

So here goes.  How exactly do you report a Facebook scam? 

Tell Mark Zuckerberg 

 .or at the very least tell it to the people in his company tasked with monitoring and responding to Facebook scam complaints.  Be on the lookout for that report button that’s hidden somewhere on the page like those hidden Mickeys on Disney channel.  

1.  Reporting a Link:  Most Facebook scams propagate through the newsfeed.  Here, you can already take action and report the scam link.  Just hover your cursor over the post and you will see an X button appear on the right hand corner.  Clicking this X button will then give you the option of marking that particular post as spam. 

 Doing so will replace the post with this text:

Thanks for Your Help

Your feedback helps us keep News Feed clear of spam. Undo Spam Report

File a more detailed report 

Clicking the “file a more detailed report” gives you the option of classifying the post as: 

. Spam or scam

.   Contains hate speech or attacks an individual

.   Violence or harmful behavior

.   Nudity, pornography, or sexually explicit content 

2.  Reporting an Application:  Applications are popular scam vehicles because of the fact that they can legitimately mine your profile information.  Of course, they can also convince you to do some other nifty and ultimately stupid things like answer a senseless survey about what type of werewolf are you, or what other things you do with your toothbrush aside from brush your teeth.  It’s understandable how these mindless surveys can induce rage from people who are expecting a free iPad. 

To report an application you must scroll down to the bottom of the page and look for the “report App” link which, interestingly enough is right above the share link.  Clicking this link will then give you more options on how to categorize your complaint: 

* Privacy issue

* Inappropriate or pornographic content

* Advertising issue

* Spam

* Bullying/Harassment

* Other

You can opt to send a copy of your complaint to the developer and you can also upload a screenshot to give the Facebook security team more info from which they can base their decision.

Another option to report a rogue application is on the familiar application installation screen:

 

3.  Reporting an Event or a Group:  The report link for an event or a group can be found way down on the page after the messages.  As with the report a page link, the options available here are: 

* Spam or scam

* Contains hate speech or attacks an individual

* Violence or harmful behavior

* Nudity, pornography, or sexually explicit content

The wall automatically loads older posts as you scroll down so you may have to scroll down for quite a bit before you get to the report link at the very bottom of the page – which is a weird place to set a report button for a company that claims utmost vigilance in protecting its members against scams.

 4.  Reporting a Message:  The report button for Facebook users with the old messaging system can be found at the top bar before the message much like on yahoo mail, Gmail, etc.  Just click the report as spam button and voila! The report is sent. 

Things get a little more complicated for Facebook users having the new Facebook email.  Here, you have to click the actions dropdown button and choose report as spam.  Facebook will then ask you to confirm if it’s indeed spam.  If yes, it will then move the message to the junk folder – presumably so you can peek at it again should you changed your mind later.  The good thing in the new Facebook email is that you can also report or block the user who sent the spam message right from the dropdown. 

5.  Reporting a Photo or a Video:  The report button for Photos and Videos can be found on the right-hand sidebar of the item.  The options made available when you click the report link on a photo are: 

Photo:

* Spam or scam

* Nudity or pornography

* Graphic violence

* Attacks individual or group

* Hate symbol

* Illegal drug use

For a video, the options that appear upon clicking the report link are:

 Video 

* Spam or scam

* Contains hate speech or attacks an individual

* Violence or harmful behavior

* Nudity, pornography, or sexually explicit content

 A caveat from Facebook Help though:

 ”It is not a violation of our Statement of Rights and Responsibilities to post a photo that is unflattering, so please don’t report a photo just because you don’t like the way you look in it.” 

So if someone posts a picture of you drooling in your sleep while you scratch your exposed tummy or laughing out loud with an extra large booger in your nose – don’t get your hopes up that it will be taken down.  But wait, the important thing is that you can report scams and spam right? 

6.  Report a Facebook User:   In the event of a 419 scam, a cyberbullying scam or a case of identity theft, you can also report a Facebook user profile to the Facebook security group.  Identity thefts and cyberbullying cases are pretty easy to recognize.  419 scams on the other hand may be a bit harder to identify since you never know when you are talking to a real Nigerian prince or a friend who got mugged in London and lost much of his or her English writing skills along with their wallet. 

In any case, the report button for Facebook profiles can be found near the bottom of the left-hand sidebar – below the profile links, the friend list, the family list, the share profile link.. In fact the report link is the bottom-most link -  it’s almost like scrolling down has become the digital version of Government red tape. 

Upon clicking the report link, the following options are then made available to you: 

Please select one of the following options: 

* This is my profile, but I no longer have access to it

* This profile is pretending to be someone or is fake

* Inappropriate profile photo

* Inappropriate profile information

* This person is bullying or harassing me 

Select the option below if you would like to block this person:

* Block “user name” 

Blocking means you won’t be able to see or contact each other on Facebook. 

7. Report to Facecrooks – Last but not least, be sure to report any scam you run across to us, so we can alert the Facecrooks community! 

Reporting Facebook scams is definitely a very important part in keeping the whole social network secure.  Security experts say that fighting Facebook scams is an uphill battle because it’s almost as easy for scammers to change scam links or create new profiles as it is for Facebook users to report these scams.  You may be only one of the 600 million users on Facebook, but taken as a whole, it’s people who take the time to report scams, security issues and bugs that make this digital social frontier a safer place. 

On April 20, for the first time ever, gold rose above $1,500 an ounce as worries over the U.S. economic outlook boosted demand for the metal as a haven. Within hours, Symantec observed this spammer’s response: a hit-and-run spam attack with the Subject line “Subject: Is Gold Your Ticket To A Golden Future?”

Hit-and-run spam (or snow-shoe spam) is a threat known for its large volumes of spam messages in short bursts, where domains are quickly rotating and the sending IP hops within a certain /24 IP range.

Key characteristics include:

• The message is in HTML
• There is some type of word salad or word obfuscation injected between various tags and/or in the URL by means of multiple directories
• The message is typically sent within the same /24 IP range
• Domains are rotated quickly

The call to action for this particular attack is a URL in the message body which directs the recipient to a Web site where the recipient can request a “free” investor kit. In order to receive the investor kit, personal contact information is requested. Certain personalities are used in the image for this spam campaign including Glenn Beck. A Google search reveals an interesting angle about Glenn Beck promoting gold investments. It seems that the spammer did some research in order to know about the association before propagating this spam campaign.

Symantec has known for some time now that spammers stay on top of current events and adapt their economically focused pitches towards the news headlines. In the midst of the economic gloom, for example October 2007, Symantec reported several spam emails with subject lines such as “Looking to sell your house fast?” and “Get the dough out of your house.” This gold-rush spam attack of April 2011 adds more credence to the argument discussed in a blog post published April 2010, which was written to explore whether the focus of spam email could be used as an economic indicator.

Recently, I received an email in my personal inbox with a subject line “MYSTERY SHOPPER ASSISTANT” (the message did not filter to my junk folder and was not marked as spam).

Image 1 – “Mystery shopper assistant” spam

I’m familiar with the hobby of mystery shopping – a service provided under contract where the contractor discreetly reviews an establishment and observes various aspects such as customer service, cost of goods or services sold and so on. The contract then reports back to the contracting agency and receives a modest payment, commonly less than $50 plus reimbursement for any item purchased. This email however was laced with the promise of paying $300 per assignment, which sounded my inner suspicion alarm.

Image 2 – the lure

Several key components of the message attempted to lend credibility to the post, for instance, naming companies that employ the services of secret shoppers. The message is a scam, however — readers beware.

The scam scheme begins when the prospective secret shopper responds to the email. The scammer may send the target additional instructions such as what part of the store to review; for instance, Wal-Mart’s “MoneyCenter” service, an in-store service that allows customers to send money electronically to a recipient. The scammer obtains the target’s address and sends them a (fraudulent) cashier’s check with instructions to cash the check, keep $300.00 for themselves, and send a remainder back to the scammer. This is a classic fraud scenario as the trick in this case is that the cashier’s check is made of rubber, and the person cashing the fake check is liable for amount of the cashed check during the transaction. Meanwhile the scammer has received valid cash at your expense.

Wal-Mart stores have been a conduit for scammers for a few years now, and there is a landing page on the Wal-Mart site describing the “Mystery Shopper Scam”:
http://walmartstores.com/PrivacySecurity/9567.aspx

In a section titled “How to protect yourself“, it is mentioned that no legitimate business “will pay in advance and ask you to send back a portion of the money.” The MMPC concurs with this statement – and don’t forget the old adage that if it sounds too good to be true, it probably is.

 

– Patrick Nolan, MMPC

A new spam campaign, similar to campaigns we have seen in the past, is spreading on Facebook. This one, however, has some interesting twists to it.

The core of the campaign involves a Facebook app that claims to know who your “Top 10 stalkers” are. Our customers are protected from this campaign by ACE, our Advanced Classification Engine.

It works by creating an album – “My Top 10 stalkers” – with the description “Check who views your profile @,” followed by a bit.ly URL-shortened link. It then automatically uploads a photo to the app and tries to mark all the user’s friends in the photo.

The bit.ly link redirects the user to a page that uses JavaScript to determine the geographical location of the computer based on its IP address. Depending on the location, the page then redirects users located in specific targeted countries to the Facebook App in an attempt to further spread the infected link. The campaign is targeted at Facebook users in the United States, Canada, United Kingdom (including a specific target for Great Britain), Saudi Arabia, Norway, Germany, Spain, Slovenia, Ireland, and United Arab Emirates.

At the time of writing, hackers have switched to using a new app. The first illegitimate app was deleted by the Facebook security team. Both apps use exactly the same mechanism to post spam profile messages in Facebook. Regardless of whether the JavaScript redirects the browser to the Facebook app because of its origin, all users are ultimately redirected to a scam page that tries to lure them into completing several fake surveys. Hackers use this method to try to collect personal information such as the user’s home address, e-mail address, or phone number.

If the user tries to navigate away from the page or close the browser, a message appears asking them to stay and complete a “SPAM-free market research survey to gain access to this special content.” Special it may sound, but it is definitely not spam-free!

As always, if a page forces you to Like, Share, or install an application in order to view it, DON’T DO IT! Chances are, it’s spam.

Install Defensio, our free security app for Facebook, to prevent scams like this from ever appearing in your news feed.

Once again Twitter users are finding themselves hit by a fast-infecting attack, more commonly encountered by their Facebook-using cousins: a rogue application spreading virally across the network.

Thousands of Twitter users have fallen into the trap of allowing rogue third-party applications access their Twitter accounts, believing that it would tell them how many people have unfollowed them.

A typical message reads:

58 people have unfollowed me, find out how many have unfollowed you: [LINK] #rw2011 #duringsexplease #youneedanasswhoopin

See the hashtags? They appear to be currently trending phrases on Twitter – presumably the rogue applications are using them in the messages they spam out in an attempt to trick more users into clicking on the links.

If you do click on the link you are asked to give authorisation for a third-party application to access your Twitter account.

Don’t, whatever you do, press the “Allow” button. If you do, then a third party is now capable of tweeting messages in your name to all of your Twitter followers – which spreads the scam virally across Twitter and may result in one of your online friends also having their account compromised.

So, how do the scammers make money? That’s the next piece of the jigsaw.

You’re anxious to find out who has unfollowed you on Twitter. The scammers take advantage of that by presenting a webpage which looks as if it’s about to reveal that information – but is actually designed to make you take an online survey instead.

The scammers make money for each survey that is completed.

If you were unfortunate enough to grant one of these rogue applications access to your Twitter account, revoke its rights immediately by going to the Twitter website and visiting Settings/Connections and revoking the offending app’s rights.

(Note that the scammers are using a variety of different applications – so you may see a different name from the one I picture above).

Don’t make it easy for scammers to make money in this way, and always exercise caution about which third party apps you allow to connect with your social networking accounts.

If you’re on Twitter and want to learn more about threats, be sure to follow Naked Security’s team of writers.

A stranger emails you out of the blue, offering you a digital photo of themselves.

What do you do?

Don’t risk it – and chuck the email straight in the trashcan?

or

Take a careful look at the email, to try to weigh up the chances of it being a malicious attack?

or

Open the attachment straight away – after all, the chances of peeking at a salacious photograph outweigh the consequences of a malware infection?

Here are the details of just such an email which has been spammed around the world:

Subject: I'm going to send you the Photos in
Attached file: DSC0173519.zip

Message body:
Hello Man,

I don't know how to say it, but I've tryed before a long time to send you some photos, but I've thought that you aren't interested to see me.
But now I'm going to send you the Photos in the Attachment.
Download the pictures and extract they, I'm sure that you will like they.
The password is: 123456

Have a great day.

The messages have one attachment, called DSC0173519.zip. The ZIP file is encrypted (presumably in an attempt to defeat anti-virus products running at the email gateway – sorry Mr Cybercriminal, that didn’t stop Sophos) with the password mentioned in the body of the email.

Within the ZIP is an executable file, DSC0173519.exe, which Sophos proactively detects as Mal/Behav-043.

If you’re not protected by Sophos, and make the mistake of running the program it will drop another file onto your hard drive, which Sophos detects as Troj/Agent-REX spyware Trojan horse.

In other words, your Windows computer is now infected with malware and a remote hacker could be stealing information from your PC, all because you were tricked into thinking a complete stranger had sent you their digital photograph.

It may be the 21st century, but with social engineering tricks so easily fooling users into making poor decisions maybe we’re kidding ourselves in believing we live in an enlightened world.

Delicious cake – for years, the symbol of a reward never to materialise.

This sad trend continues with the upcoming release of Portal 2, which – as you would expect – is prompting a rash of utterly fictitious cake designed to lure the unwary into mind bending puzzles of a three dimensional nature, or at least some surveys and a slice of malware.

Over the last few days, Twitter users have reported a huge wave of Portal spam.and this will no doubt continue to be an annoyance as excitement builds over the release. Much of the spam makes no sense, or mashes up random Portal related comments and lines.

See if you can spot the cake mention (yes, this cake was a lie too):


Click to Enlarge

A lot of these spambots were directing users to a “Portal 2 Loader” (hat tip to MrTom), which has been downloaded roughly 4,000+ times and appears to be a Portal 2 crack.


We’re still taking a look at this one, but personally I’d steer clear.

Elsewhere, we have dubious search results. Simply looking for “Portal 2 Still Alive” (you know, the catchy ditty sung by the smiley death robot at the start of the writeup) will bring you a liberal scattering of this:


Click to Enlarge

And also some of that:


Click to Enlarge

Many of the sites are currently down, but there’s a lot of dubious results in there so be careful (you can also bring up a bunch of them by searching for the songwriter, the awesome Jonathan Coulton). In a nutshell, any searches involving songs and a state of being alive may serve up some bad vibes in your general direction.

Are those “this site may harm your computer” warnings useful or what?

Anyway, we also have the usual Youtube suspects in the form of endless “Portal 2 keygen / crack” videos:


Click to Enlarge

Without fail, they’ll all dump you on cookie cutter blogs and file upload sites that want some surveys filling in:


Click to Enlarge


Click to Enlarge

Needless to say, filling in these surveys won’t give you a working crack – it’ll be a non functional dummy file or an infection.

I can tell you this much for certain, there definitely won’t be any cake.

There never is.

Christopher Boyd

The days leading up to major religious holidays are when you should be more careful with the contents of your inbox.

One malicious spam run recently spotted by McAfee consists of a cute image of bunnies, chicks and colored eggs, complete with the offer to download the animated greeting by clicking on the offered link:

The subject line reads “Easter Greeting From Alex”, and people who actually do know an Alex might be forgiven if they clicked through, since the e-mail address from which the message was supposedly sent and the domain name embossed in the image lead to what seems like a legitimate greeting service.

But, the link and the image don’t take the unfortunate user to that website, but to one that triggers the download of a piece of malware that most likely steals personal and financial information from the victim’s computer.

I must admit that this spam message does seem rather legitimate at first glance – there are no spelling mistakes and the aforementioned domain from which the message has supposedly been sent doesn’t trigger any alarm bells.

But in any case, if you do know an Alex (or any other person from which the greeting is seemingly from), it is a good idea to contact him or her independently of that e-mail and ask them if they did, indeed, sent it.

 

Cybercriminals are adopting a new disguise, following last week’s “Facebook password changed” malware attack.

Computer users are discovering malicious code has been sent to their email inboxes, pretending to be a notification from Facebook that their social networking account has been used to send out spam.

A typical message reads:

Dear client

Spam is sent from your FaceBook account.

Your password has been changed for safety.

Information regarding your account and a new password is attached to the letter.
Read this information thoroughly and change the password to complicated one.

Please do not reply to this email, it's automatic mail notification!

Thank you.
FaceBook Service.

The attack would, perhaps, be a little more successful at fooling more people if it had gone through a grammar check and if the perpetrators had paid more attention to the fact that it’s spelt “Facebook” not “FaceBook”.

Nevertheless, there are doubtless some computer users who might be tempted to open the attached ZIP file and infect their computers with malware.

We’ve seen similar attacks before, of course – and I imagine that cybercriminals will continue to use ruses like this when spreading their malware. Plenty of people are hooked on Facebook, and a message telling them that their password has been reset is likely to send them into palpitations and they may open the unsolicited attachment without thinking.

After all, it’s not as though spam being sent from Facebook accounts is unusual.

If only more people realised that they cannot trust the “from:” address in an email, as it is so easily forged. In this case it presents itself as being from "Facebook Help" <official@facebook.com>, but in reality it could just as easily be a Hungarian hacker, a Finnish fraudster or a Serbian scammer who initiated the widespread spam attack.

Sophos products intercept the attack as Mal/BredoZp-B.

If you are one of those many people who can’t get enough of Facebook in their lives, can stay informed about the latest scams by joining the Sophos Facebook page, where more than 70,000 people regularly share information on threats and discuss the latest security news.

Easter is a Christian holiday centered on the death of Jesus Christ and His subsequent resurrection several days later. Hence Easter is an important holiday for Christians. But what gets associated with Easter is beautifully decorated Easter eggs found on every decorated shop window this season, and of course the Easter Bunny! To celebrate Easter, people exchange Easter eggs and, with the evolution of time, today we have personalized e-cards and personalized gifts. Spammers have begun to exploit the season by sending personalized e-cards, gift cards, and replica-spam emails.

Here is a screenshot of a personalized Easter e-card:

Here are some of the headers used in Easter e-card spam:

Subject: Give your child the gift of amazement A Package from The Easter Bunny.

Subject: The Most Popular Gift for Kids this Easter 2011

Subject: Send A Personalized Easter Bunny Letter

Subject: How To Make This Your Childs Best Easter Ever.

Subject: This is the secret to making your kids happy this Easter.

Subject: Personalized Easter Bunny Letters

From: “The Easter Bunny” <The.Easter.Bunny@removed.com>

From: “Easter Bunny” <Easter.Bunny@removed.com >

Where personalized Easter gifts are concerned, spammers have targeted replica products offers at unimaginable discounts (as shown in the image below). To create a frenzy, they have also suggested that they have limited stock and therefore one must “HURRY”! But do not get carried away with such false promises. This could be bait used by the spammers to get a hold of the user’s personal information.

Screenshot of the Web site selling fake replica watches:

As Symantec wishes all our readers a very happy Easter, we also advise you to be cautious when handling unsolicited or unexpected emails, especially during this Easter season. Updating antispam signatures regularly protects your personal information from being compromised.

Thanks to Anand Muralidharan for contributed content.

Short URL services are problematic, and they are becoming even more so in combination with IP location technologies.

From twitter.com earlier today:



If you look closely, you’ll notice it’s one spambot, @olasher, replying to another spambot, @MorabsShimb3554. Lame, right?

Well, the @olasher account was too obvious, Twitter suspended the account within hours of its creation. The @MorabsShimb3554 is more subtle however, and attempts to fly under the radar (successfully so far) by asking the reader to “copy & paste” the ow.ly link.

The ow.ly short link directs through maxbounty.com, and from Finland, redirects to http://fi.toluna.com/Register.aspx, but with an affiliate ID attached, which is how the spammer hopes to make money.

There’s no good way of telling just how many sites the ow.ly link opens, it’s entirely subjective to the user’s point of origin (IP address) and the number of MaxBounty commissions.

Twitter has a very nice tool tip feature that attempts to help by expanding short URLs, but it too suffers from being USA-centric. The links displayed are based on twitter.com’s home IP address. It works great for legitimate links, but not always so well for spammy and/or malicious links, because results vary according to location.

And sometimes Twitter can’t expand to the end point for some other reason.

Let’s look at the link that was being pushed by @olasher:



It pointed to adf.ly, that’s another short URL service, one which attempts to monetize short URL with an advertisement that the viewer needs to click past.



From a Finnish based IP address, the adf.ly URL will open to legitimate sites such as Groupon’s citydeal.fi. Again, with an affiliate ID attached. There could be many dozens of variations within Europe alone.



Once you click to skip the ad, you’ll be directed to amazon.com.



And yes, there’s another affiliate ID on the iPad 2 page as well.

All of the links used in this example are rather harmless. Unfortunately, short URL services with IP location technologies and benign affiliate ID spam are just the tip of the iceberg. More malicious links are on the horizon.

So what can be done?

Feature suggestion to bit.ly et al. – disallow URL to other short URL services, there’s no real legitimate reason for this.

Short URLs are useful, please make them less so for spammers and scareware vendors.

Facebook has expanded its range of service offerings, making the site so much more than a place where users can interact with one another. It has been said several times that Facebook is bound to replace email as a means of communication, as it provides a more convenient way for users to send messages.

This convenience, however, was also leveraged by cybercriminals in a recent spam run wherein users were urged to download an application called Facebook Messenger. This would supposedly make it easier for them to access messages sent to their Facebook accounts.

The attack starts with spammed messages that look like a Facebook notification. The email message alerts the users about a message that has been sent to their Facebook accounts. It tells the users to click a link to view the said message. Clicking the message, however, displays a download page for an application called Facebook Messenger.

The downloaded file named FacebookMessengerSetup.exe is malicious and detected as BKDR_QUEJOB.EVL. BKDR_QUEJOB.EVL opens TCP port 1098 to listen for commands sent by a malicious attacker. The nature of the commands may include updating the malicious file, downloading and executing other malicious files, and starting certain processes. It also queries the system for information such as installed antivirus products and OS version then sends the data it gathers to a certain SMTP.

More Attacks Targeting Facebook Users

It seems like cybercriminals have their eyes particularly set on Facebook users these days, as this is not the only attack we’ve seen in the past couple of days.

In another spam run, recipients were told that their Facebook passwords were unsafe and that they should open an attached document, which contains their new passwords and information on how they can further secure their accounts. Ironically, the said document was actually a malware detected as TROJ_DOFOIL.VI.

We’ve also seen similar attacks to previously reported ones, which exploit the Facebook Events feature. This time, however, the social engineering lure used was yet another popular Facebook feature-Credits.

Users were notified of a supposed glitch in Facebook’s system that could be fixed by simply following a set of given instructions. Similar to the technique used in the Facebook Stalker Tracker attack, users were told to copy a piece of code and to paste it into their Web browser. Executing the said script results in the creation of an event and in the invitation of the affected users’ contacts to the said event. The “event” contains spammy information such as links to the Canadian Pharmacy.

The script used to create the spam event is now detected as JS_OBFUS.PB.

Trend Micro product users are already protected from the above-mentioned threats through the Trend MicroT Smart Protection NetworkT. Facebook users need to be aware that such schemes, among others, are very rampant on the network. Extreme caution before clicking links is strongly advised. Users may check out our comprehensive report, Spam, Scams, and Other Social Media Threats for more information.

Additional text and further analysis by Dhan Praga and Harry Reynoso