SPAM frauds, fakes, and other MALWARE deliveries - archive

[AplusWebMaster]

FYI...

H1N1 SPAM w/virus...
- http://www.f-secure.com/weblog/archives/00001734.html
July 21, 2009 - "We recently saw this malicious file being spread in emails. The name of the file was Novel H1N1 Flu Situation Update.exe and the icon made it look like a Word document file. When the file was opened, it created several new files to the hard drive:
• %windir%\Temp\Novel H1N1 Flu Situation Update.doc
• %windir%\Temp\doc.exe
• %windir%\Temp\make.exe
• %windir%\system32\UsrClassEx.exe
• %windir%\system32\UsrClassEx.exe.reg
The executables contain backdoor functionality, including an elaborate keylogger. And the document file that is dropped gets automatically opened by the malware, causing the user to think he really opened a Word file..."

- http://www.sophos.com/blogs/sophoslabs/v/post/5517
July 22, 2009

(Screenshots available at both URLs above.)

[AplusWebMaster]

FYI...

Targeted malware calling home...
- http://www.f-secure.com/weblog/archives/00001736.html
July 23, 2009 - "In targeted attacks, we see more and more attempts to obfuscate the hostname of the server where the backdoors are connecting to. IT staff in many of the targeted organizations are fully aware of these attacks. They keep monitoring their logs for suspicious activity. The admins might spot a host that suddenly connects to known rogue locations like:
• weloveusa.3322.org
• boxy.3322.org
• jj2190067.3322.org
• hzone.no-ip.biz
• tempsys.8866.org
• zts7.8800.org
• shenyuan.9966.org
• xinxin20080628.gicp.net
However, we've now seen a shift in the hostnames. The attackers seem to be registering misleading domain names on purpose, and have now been seen using hosts with names like:
• ip2.kabsersky.com
• mapowr.symantecs.com.tw
• tethys1.symantecs.com.tw
• www.adobeupdating.com
• iran.msntv.org
• windows.redirect.hm
The apparent motive here is that a busy IT administrator might look at a firewall log alert about a machine connecting to www .adobeupdating .com and just disregard it. "That must be the PDF reader trying to download updates..." In reality, adobeupdating.com is registered to somebody in Zaire and has an IP address pointing to Australia."

[AplusWebMaster]

FYI...

Dilbert sends out 419 scams...
- http://www.sophos.com/blogs/sophoslabs/v/post/5633
July 29, 2009 - "... Advance Fee fraud scammers will abuse any free service they can get their hands on to send out their spam messages... In recent days, a group of Nigerian scammers have started abusing the “share-a-comic-strip” feature on Dilbert.com. The scammers do this by including their own fraud message inside the “personal message” portion of the sent messages. This is probably a money-making scheme that Dogbert would approve of..."

(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

PayPal fraud with CAPTCHA
- http://blog.trendmicro.com/paypal-fraud-with-captcha/
Aug. 11, 2009 - "... CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) used to protect web sites against abusive automated softwares that can register, spam, login, or even splog. However, now a days that isn’t the case anymore. Just like the traditional PayPal phish, the web page http ://{BLOCKED}www.security-paypal.citymax.com /paypal_security.html asks the user to provide feedback from their Shopping by asking for their Name, E-mail Address and PayPal password... After which, a CAPTCHA image is shown and requires the user to enter the code indicated for spam prevention. However, after entering the user’s personal information, this could be used to create bogus mail accounts, among other things..."

(Screenshot available at the URL above.)

[AplusWebMaster]

FYI...

Spam changes HOSTS file...
- http://blog.trendmicro.com/brazil-sp...-a-hosts-file/
Aug. 14, 2009 - "We have recently detected a new spam attack that attempts to grab the bank data of Brazilian users. The mechanics of this attack are simple. Users receive this spam email... The mail claims that the user has received an e-card, and contains a link to “read” the said card. Click on the related link, a file is downloaded and executed... Apparently nothing happens, just an Internet Explorer is opened showing a related web card from this initial phishing. In the background, however, the HOSTS file is changed, and set to redirect certain Brazilian baking Web sites to a malicious web site. All information posted in any of the said pages will then be grabbed by the attacker..."

(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

Facebook apps used for phishing
- http://blog.trendmicro.com/facebook-...-for-phishing/
Aug. 19, 2009 - "It would be easy to think that once someone has logged in successfully to Facebook—and not a phishing site—that the security threat is largely gone. However, that’s not quite the case, as we’ve seen before*. Earlier this week, however, Trend Micro... found at least two—if not more—malicious applications on Facebook. (These were the Posts and Stream applications.) They were used for a phishing attack that sent users to a known phishing domain, with a page claiming that users need to enter their login credentials to use the application. The messages appear as notifications in a target user’s -legitimate- Facebook profile... While Trend Micro has informed Facebook of these findings, users should still exercise caution when entering login credentials. They should be doubly sure that these are being entered into legitimate sites, and not carefully crafted phishing sites..."
* http://blog.trendmicro.com/?s=Koobface

(Screenshots available at the URL at the top listed above.)

[AplusWebMaster]

FYI...

- http://www.darkreading.com/shared/pr...leID=219401053
Aug. 21, 2009 - "... According to new data collected by ScanSafe, which filters more than a billion Web queries each month, some 76 percent of companies are now blocking social networking sites - a 20 percent increase over the past six months. More companies now block social networking sites than block Webmail (58 percent), online shopping (52 percent), or sports sites (51 percent), ScanSafe says*. "Social networking sites can expose businesses to malware, and if not used for business purposes, can be a drain on productivity and bandwidth," says Spencer Parker, director of product management at ScanSafe... Companies are also increasing their restrictions on other types of sites, including travel, restaurants, and job hunting sites, according to the data..."
* http://www.scansafe.com/news/press_r...networking_use

.

[AplusWebMaster]

FYI...

Swine flu SPAM leads to malware
- http://blog.trendmicro.com/fake-pres...ad-to-malware/
Sep. 5, 2009 - "No one is absolutely safe from Influenza H1N1, not even world leaders. This is the scenario painted by cybercriminals in their latest spam run. The spammed message informs recipients that the President of Peru, Alan Gabriel Ludwig García Pérez, and other attendees of the delegation of UNASUR (Union of South American Nations) summit have confirmed cases of Swine flu. Furthermore, it states that the presidents of Brazil and Bolivia were also both infected but are now recovering... Written in Spanish, the spam attempts to stir recipients’ curiosity by saying that the incident is being kept from the public. It also urges them to click on the malicious link, which purports to contain the audio news pertaining to this incident. Instead of news, however, all victims get is an executable file ( Alan.Gripe.Porcina.mp3 .exe ) detected by Trend Micro as TSPY_BANCOS.AEM. BANCOS variants are known for its info-stealing capabilities..."

(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

Koobface attacks on Facebook and MySpace...
- http://www.associatedcontent.com/art...ok.html?cat=15
September 07, 2009 - "Rumors of a Fan Check virus have circulated in the Facebook community. The Kaspersky Lab* two variants of Koobface viruses which (for now) are only attacking Facebook and MySpace users... As a Facebook user, it's important to remember not to open suspicious links, even if they are from "friends".... had problems in the past with hackers using my friends' accounts to spam or to send viruses. One of the current links is to a YouTube video and a message asking the users to update to the latest version of Flash Player. By clicking, the user will have effectively downloaded a worm..."
* http://www.kaspersky.com/news?id=207575670

- http://www.eset.com/threat-center/bl...about-facebook
September 8, 2009 - "... Quite a few people are talking about Fan Check at the moment, but mostly in the context of the "Facebook Fan Check Virus" hoax: briefly, the bad guys are using SEO poisoning to ensure that if you look for search terms like "Facebook Fan Check Virus" in a search engine, some of the top-ranking hits you get will be to sites that will try to trick you into downloading a rogue anti-malware application..."

[AplusWebMaster]

FYI...

Bogus work-at-home schemes...
- http://voices.washingtonpost.com/sec...47000_fro.html
September 9, 2009 - "Organized cyber thieves are increasingly looting businesses in heists that can net hundreds of thousands of dollars. Security vendors and pundits may be quick to suggest a new layer of technology to thwart such crimes, but in a great many cases, the virtual robbers are foiled because an alert observer spotted something amiss early on and raised a red flag. In mid-July, computer crooks stole $447,000 from Ferma Corp., a Santa Maria, Calif.-based demolition company, by initiating a large batch of transfers from Ferma's online bank account to 39 "money mules," willing or unwitting accomplices who typically are ensnared via job search Web sites into bogus work-at-home schemes..."