SPAM frauds, fakes, and other MALWARE deliveries - archive
FYI...
- http://preview.tinyurl.com/3xqd9o
January 31, 2008 (Infoworld) - "...The Anti-Phishing Working Group (APWG) said in a new report* Thursday that it saw a sharp rise in November in malware that directs users to DNS servers controlled by phishers. DNS servers play a crucial role in locating Web sites. The servers translate a domain name into an IP address, enabling a Web site to be located and accessed through a browser. Often, the phishers will set up their own DNS server that works fine most of the time but can redirect to their own malicious site. Tainting a person's DNS settings is particularly dangerous since the user probably won't notice the redirection, the APWG said. "The fraudulent server replies with 'good' answers for most domains; however, when they want to direct you to a fraudulent one, they simply modify their name server responses," the report said. Phishers are also employing malware that modifies an internal PC file called the hosts, which is used to match domain names of Web sites with IP addresses. When a person visits a Web site, the browser checks the hosts to see if it has an IP address for a particular domain name. If the hosts file is corrupted or hijacked, the browser can be directed to fetch a different Web page than the one the user intended to go to. Both attacks -- also known as pharming -- are dangerous, since a user may be typing in the correct URL but be directed to the phishing site..."
* PDF file: http://www.antiphishing.org/reports/...t_nov_2007.pdf
Also see:
> http://forums.spybot.info/showpost.p...15&postcount=8
:fear::spider:
SPAM, SPAM, and more SPAM... w/malware
FYI...
More fake "Hallmark ecards"...
- http://blog.trendmicro.com/greeting-...read-no-cheer/
June 9, 2008 - "Thinking that someone just remembered you and sent you a Hallmark greeting card? Think again, before you open the email attachment. Today, we received a spam allegedly from Hallmark. Once you run the file named postcard.exe, it will automatically open Notepad with some garbage characters to distract users while the malware is being installed... Trend Micro detects this malware as TROJ_INJECTOR.DD... The malware drops copies of itself and creates registry entries to ensure its automatic execution at every system startup. This is not the first time malware authors tried to trick users by exploiting their curiosity and desire to receive good tidings via greeting cards: Storm started out much the same way, including the use of eCards, and well into 2007."
---------------------------------
Phishers drop MySpace bait
- http://blog.trendmicro.com/phishers-drop-myspace-bait/
June 9, 2008 - "...new phishing attack that leads to the download of malware. However, unlike most instances where phishing baits are usually banks, credit unions or other financial institutions, this time it uses the popular social networking Web site MySpace.com. The phishing URL may be contained in spammed email messages. Once recipients of said messages click or visit the URL, it displays a spoofed MySpace login page. It also uses a popup window declaring a supposed MySpace profile object error and requires that the user download the new version of a new MySpace profile object. Therein lies the trick: When the user clicks the “continue” button, malicious files are not only downloaded but also automatically installed. The said malicious files are detected as TROJ_ZLOB.GUZ and BKDR_IRCBOT.BGY... And if the user tries to exit the page, it will not close until the said file is downloaded. To exit, a user needs to terminate the program using Task Manager... phishing URL hxxp ://{BLOCKED}ce404-error.farvista.net/myspace.php ..."
(Screenshot available at the TrendMicro URL above.)
:fear::fear:
Malicious spam - news on Osama...
FYI...
- http://securitylabs.websense.com/con...erts/3130.aspx
07.04.2008 - "Websense® Security Labs™ ThreatSeeker™ Network has discovered a substantial number of spam messages utilizing a social engineering tactic that lures users to download malicious software... The recent media coverage discussing Osama Bin Laden seem to have prompted spammers to quickly recycle an old spam campaign... We have seen the same malicious executable used throughout different spam campaigns bearing following email subjects lines:
Jennifer Aniston Interesting mp3!!!
Clara Morgane Shocking photo!!!
Kylie Minogue Interesting video without cowards!!!
Demi Moore New sexy songs!!!
Avril Lavigne Shocking porno dvd!!!
Nicole Richie Kick-up cd!!!
Beyonce Shocking sexy songs!!!
Keira Knightley Gallery photo!!!
Britney Spears Interesting cd!!! ..."
(Screenshots available at the URL above.)
:fear::spider::sad:
Airlines - infected ticket invoices...
FYI...
Attachment contains same Trojan horse that stole 1.6M records from Monster.com last year
- http://preview.tinyurl.com/66ayhz
July 28, 2008 (Computerworld) - "Several airlines, including Delta Air Lines Inc. and Northwest Airlines Corp., have warned customers that bogus e-mails posing as ticket invoices contain malware and urged them to immediately delete the messages. A researcher at McAfee Inc. confirmed the campaign in a post to the company's blog*. The e-mails, which purport to be from an airline, thank the recipient for using a new "Buy flight ticket Online" service on the airline's site, provide a log-in username and password, and say the person's credit card has been charged an amount usually in the $400 range. An attachment claims to be the invoice for the ticket and credit card charge..."
* http://www.avertlabs.com/research/bl...-takes-flight/
:fear:
Airlines - infected ticket invoices... SPAM
More of same...
- http://www.f-secure.com/weblog/archives/00001477.html
July 30, 2008 - "... Today when we saw a large spam run sending out fake JetBlue etickets... The mail contains a ZIP file that contains the file eTicket#1721.exe which we detect as Trojan-Spy:W32/Zbot.QO. The malware itself tries to steal usernames and passwords to online banks..."
(Screenshot available at the F-secure URL above.)
- http://www.us-cert.gov/current/#airl...t_email_attack
July 31, 2008
:fear:
News update emails - CNN.com Daily Top 10
FYI...
- http://isc.sans.org/diary.html?storyid=4828
Last Updated: 2008-08-05 00:45:33 UTC - "If you missed last week's chance to get your "airplane ticket", you currently have a second opportunity. Emails are making the rounds that claim to come from CNN, and carry a subject of "CNN.com Daily Top 10". Well, they are neither. But the emails contain click-friendly headlines with enticing subjects like "Will all Americans be obese by 2030?" Now who wouldn't want to read THAT?!
Clicking takes you to the netherworld, of course. You currently receive a file called "get_flash_update.exe" (yeah, sure!). Detection for the sample is coming on line, see http://www.virustotal.com/analisis/2...f236533b03c945
[Result: 10/35 (28.57%)]
The domain "idoo .com" seems to be up to no good. Other involved domains are too numerous to list, but about 50 of them currently resolve to 200.46.83.233. That's in Panama."
:fear:
Phishers play the Olympics
FYI...
Phishers play the Olympics
- http://blog.trendmicro.com/phishers-play-the-olympics/
08.04.2008 - "Olympic tickets anyone? They are available in the Internet of course, but users beware: the bad guys are still working hard to steal from online users as the 2008 Beijing Olympic approaches... fake Beijing Olympics Web site supposedly selling tickets. The Los Angeles Times reports* that Olympics officials have already asked federal courts to shut down certain Web sites that pose as sellers of tickets but actually are stealing credit card numbers and other confidential information..."
* http://www.latimes.com/technology/la...,7568966.story
- http://securitylabs.websense.com/con...erts/3152.aspx
08.05.2008 - "Websense... has discovered a rogue Beijing Olympics ticket lottery Web site. The Web site uses the hostname beij***2008.cn, a clear typo-squat to the official Olympic Games Web site at http://www.beijing2008.cn/. Benefiting from the hype around the purchasing of tickets for the Games, the social engineering tactic behind this scam is to lure users into dialling a toll number to retrieve an access code for an available ticket. The toll number is likely an additional revenue generator for the scammers as callers would then be charged a premium rate for making that phone call. Users who input the supplied access code are forwarded to a further Web page designed to collect personal information. They then have the incentive to enter credit card details, to pay a relatively small sum of RMB600 for the ticket (approximately 87 USD). This phishing Web site goes a step further than most phishing sites by employing a phone-call "verification" step. This higher level of interactivity and supposed verification garners more trust from unsuspecting users..."
(Screenshots available at the TrendMicro and Websense URLs above.)
:fear::mad::sad:
FAKE Adobe Flash Player - more...
More...
Compromised Web Servers Serving Fake Flash Players
- http://ddanchev.blogspot.com/2008/08...ving-fake.html
August 05, 2008 - "...This campaign serving fake flash players is getting so prevalent these days due to the multiple spamming approaches used, that it's hard not to notice it - and expose it... As far as the owner's are concerned, it appears that some of them are already seeing the malware page popping-up on the top of their daily traffic stats, and have taken measures to remove it... The structure of the malware campaign is pretty static, with several exceptions where they also take advange of client-side vulnerabilities (Real player exploit) attempting to automatically deliver the fake flash update or player depending on the campaign. On each and every site, there are dnd.js and master.js scripts shich serve the rogue download window, and another .html file, where an IFRAME attempts to access the traffic management command and control, in a random URL it was 207.10.234.217/cgi-bin/index.cgi?user200. A sample list of participating URLs, most of which are still active and running... (the list is way too long to post here - see ddanchev.blogspot URL above.)...
Sample detection rate : flashupdate.exe
Scanners Result: 35/36 (97.23%)
Trojan-Downloader.Win32.Exchanger.hk; Troj/Cbeplay-A
File size: 78848 bytes
MD5...: c81b29a3662b6083e3590939b6793bb8
SHA1..: d513275c276840cb528ce11dd228eae46a74b4b4
The downloader then "phones back home" at 72.9.98.234 port 443 which is responding to the rogue security software AntiSpy Spider...
Sample detection rate : antispyspider.msi
Scanners Result: 11/35 (31.43%)
FraudTool.Win32.AntiSpySpider.b;
File size: 1851904 bytes
MD5...: 2f1389e445f65e8a9c1a648b42a23827
SHA1..: e32aa6aa791e98fe6fdef451bd3b8a45bad0acd8
The bottom line - over a thousand domains are participating, with many other apparently joining the party proportionally with the web site owner's actions to get rid of the malware campaign hosted on their servers."
---
* http://www.adobe.com/go/getflashplayer
Current Adobe Flash Player version 9.0.124.0
:fear::fear: