SPAM frauds, fakes, and other MALWARE deliveries - archive

[AplusWebMaster]

FYI...

DNS hijacks ...
- http://h-online.com/-1336589
5 September 2011 - "A number of popular web sites were hit by a DNS hijack attack; The Daily Telegraph, UPS, The Register, National Geographic, Vodafone, Betfair and Acer were all affected. By modifying the DNS records for the sites, rather than directly attacking them, visitors to the sites were redirected to a site by "TurkGuvenligi" which declares "h4ck1n9 is not a cr1m3". Some of the sites shut down password protected services during the attack to ensure that users attempting to log in were not compromised. Correct DNS records have now been generated and have been propagating in the DNS system overnight..."

> http://zone-h.org/news/id/4741
"... all use NetNames as their registrar. It appears that the turkish attackers managed to hack into the DNS panel of NetNames using an SQL injection..."

- http://nakedsecurity.sophos.com/2011...ister-ups-etc/
September 4, 2011

- http://blog.sucuri.net/2011/09/ascio...nd-others.html
September 4, 2011

[AplusWebMaster]

FYI...

Fake Offers with Fake Trust Seals
- http://www.symantec.com/connect/blog...ke-trust-seals
Sep. 5, 2011 - "... Symantec observed a phishing site that utilized a number of new tricks. The phishing site masqueraded as a well known software company and claimed to offer associated software products at discounted rates. The phishing page highlighted these fake offers as “summer offerings” and stated that customers could save 80% on their purchases. Users were prompted to enter their billing information, personal information, and credit card details to complete their purchases... If any users had fallen victim to the phishing site, the phishers would have successfully stolen their confidential information for financial gain... The phishing site was hosted on a newly registered domain name, and this new domain name was indexed in several popular search engines and had a very high page ranking. Phishers achieved the boosted page ranking by using common search keywords for the products within the domain name. For example, the domain would look like “common-search-keywords.com”. Thus, if a user searched with these keywords in a search engine, they could end up with the phishing site as a high-ranked result... The phishing page also contained fake trust seals at the bottom of the page. A legitimate trust seal is a seal provided to Web pages by a third party, typically a software security company, to certify that the website in question is genuine. Clicking on a trust seal will pop up a window provided by the third party, which contains details of the site name and the encryption data used to secure the site...
Internet users are advised to follow best practices to avoid phishing attacks:
• Do not click on suspicious links in email messages.
• Avoid providing any personal information when answering an email.
• Never enter personal information in a pop-up page or screen.
• When entering personal or financial information, ensure the website is encrypted with an SSL certificate by looking for the padlock, ‘https’, or the green address bar.
• Frequently update your security software..."
(Screenshots available at the symantec URL above.)

[AplusWebMaster]

FYI...

Fake e-mails from Electronic Payments Association NACHA
- http://community.websense.com/blogs/...ion-nacha.aspx
06 Sep 2011 - "Websense... has been tracking a large number of messages masquerading as legitimate messages from the Electronic Payment Association NACHA. The messages bear legitimate traits, as the display name and routing details seem to confirm. Further analysis of the message and attachments prove these to be malicious in intent... an unsuspecting member or patron of the service might just fall for this... The use of a double extension on a file name as well as the exact format of the message, including the Subject, attests to the reuse of the campaign... Although this might seem to have come from NACHA, the routing details suggest otherwise as they do not originate from the publicly-known MX records for the organization... VirusTotal results*..."
(Screenshots available at the websense URL above.)
* https://www.virustotal.com/file-scan...e91-1315379402
File name: FormApp_23131.zip
Submission date: 2011-09-07 07:10:02 (UTC)
Result: 30/44 (68.2%)

ACH spam campaign analysis...
- http://labs.m86security.com/2011/09/...spam-campaign/
September 6, 2011 - "... Automated Clearing House (ACH) is an an electronic network for financial transactions in the United States overseen by NACHA. Last week, we came across a suspicious looking spam campaign with the unusual subject line “UAE Central Bank Warning: Email scam alert”. After closer investigation, we determined that it was indeed a fake ACH notification. The message contained an attached malicious file using the filename “document.zip”. As suspected, the malicious file attachment was a downloader that we have seen a lot of lately – Chepvil... The Chepvil downloader, unsurprisingly, proceeded to retrieve more than just one piece of additional malware. First was the password stealing malware, Zbot... downloading the file “s.exe” – a Zbot variant**... The file “22.exe” was interesting because we had not encountered it before. It was detected*** by 22 out of 45 antivirus programs... Upon execution, the proxy spambot drops a copy of itself in the Windows TEMP folder as svchost.exe... This spambot’s recent spamming activities includes both pharmaceutical, and further ACH campaigns that appears to be from NACHA.org; and are very similar to the one which led to this infection in the first place..."
** https://www.virustotal.com/file-scan...6fd-1315391834
File name: file
Submission date: 2011-09-07 10:37:14 (UTC)
Result: 34/44 (77.3%)
*** https://www.virustotal.com/file-scan...3ee-1315187924
File name: svchost.exe
Submission date: 2011-09-05 01:58:44 (UTC)
Result: 31/44 (70.5%)
___

Virus Outbreak In Progress
- http://www.ironport.com/toc/
Sep. 7, 2011

- http://tools.cisco.com/security/cent...utbreak.x?i=77

Malicious Account Information E-mail Msgs...
- http://tools.cisco.com/security/cent...?alertId=24092
Fake Parcel Delivery Failure Notification E-mail Msgs...
- http://tools.cisco.com/security/cent...?alertId=23917
Fake Presentation E-mail Msgs...
- http://tools.cisco.com/security/cent...?alertId=24082
Fake FDIC Document E-mail Msgs...
- http://tools.cisco.com/security/cent...?alertId=24028
Malicious Changelog Attachment E-mail Msgs...
- http://tools.cisco.com/security/cent...?alertId=23588

[AplusWebMaster]

FYI...

Ransomware posing as Microsoft
- http://pandalabs.pandasecurity.com/r...-as-microsoft/
09/6/11 - "... Once you get infected (you can receive it in a number of different ways, most likely via spam messages and P2P), your computer is restarted. What for? Well, the malware installs itself to run every time your computer is started... The threat is clear: your Microsoft Windows authenticity could not be verified, you need to have it fixed, which is just a 100€ payment. They give you the payment instructions and before saying goodbye they let you know that in case you don’t pay you’ll lose access to the computer and will lose all your data, as well as that the district attorney’s office has already your IP address and that you’ll be prosecuted in case you fail to pay... that would scare anyone that doesn’t know this is a ransomware attack... for all of you that wouldn’t like to pay anything to these bastards, this is the code you can use to deactivate it:
QRT5T5FJQE53BGXT9HHJW53YT
Doing that your computer will be restarted and the registry key created by this malware (detected as Ransom.AN) will be removed, as well as the malware file..."

[AplusWebMaster]

FYI...

Ransomware uses false child porn accusations
- http://www.malwarecity.com/blog/cybe...ions-1127.html
5 September 2011 - "Russian cyber-criminals are coupling false accusations of child pornography with real software damage in a new scam that attempts to extort 500-ruble ($17) payments out of victims, according to an analysis by Bitdefender. Once infected with Trojan.Agent.ARVP malicious software, spread via innocent-seeming links, the victim receives a note stating that child pornography has been found on the computer and the user must pay a “fine” via a payment service. To back up the demand, the Trojan blocks the computer, effectively holding the system ransom. The scam marks an extension of the traditional activities of Russian cyber-criminal gangs, many of whom specialize in offering fake anti-virus solutions, or in frauds such as the “Russian bride scam,” which seeks to con European or North American men out of money by posing as beautiful Russian women seeking husbands from abroad. The child-porn scam targets Russian speakers for now but such attacks are often translated into English and other languages to spread further... The ransom note is scaled to take up to 90 percent of the screen and whatever is behind it is invalidated. Other emergency tools such as Task Manager, Windows Explorer and User Init Logon Application are killed and overwritten with copies of the Trojan, which prevents the operating system from initializing and running properly. The scammers says the user must pay within 12 hours or the “child-porn” case will be forwarded to the local police and all data stored on the personal computer will be blocked or deleted, the operating system uninstalled and the BIOS erased. In reality, the data will still be there and the BIOS will not be affected after the 12-hour deadline passes... Paying the ransom will -not- unlock it. In-depth analysis of the malware revealed that there is no way to unlock the PC, so the promise of a code is false. Messages such as this should immediately raise suspicions... To remain safe from such scams, users are advised to scrutinize links they come across and avoid as much as possible clicking on URLs they have not specifically searched for."

[AplusWebMaster]

FYI...

Corporate account credentials phished...
- http://www.finextra.com/news/fullsto...wsitemid=22957
16 September 2011 - "The FBI is currently investigating over 400 reported cases of corporate account takeovers, where cyber crooks have used ACH and wire transfers to steal tens of millions of dollars from US businesses. The scale of the problem was revealed this week by the bureau's assistant director in the cyber division, Gordon Snow, in testimony to a House Financial Services Committee subcommittee. Smart says business employees are being targeted by phishing e-mails containing infected files or links to suspect Web sites, enabling criminals to install -malware- on their computers to harvest online banking credentials. The FBI is looking in to over 400 cases where crooks have used this information to steal money from firms' accounts, involving the attempted theft of over $255 million and the actual loss of around $85 million..."

[AplusWebMaster]

FYI...

Malvertising on Bing and Yahoo...
- http://sunbeltblog.blogspot.com/2011...-serve-up.html
September 16, 2011 - "... adverts being displayed in Bing that were directing end-users to malicious content. These adverts were promoting all manner of downloads including Firefox, Skype and uTorrent. Some of the search terms used:
FireFox Download - Download Skype - Download Adobe Player...
Clicking the adverts takes end-users to sites such as river-park(dot)net, and they do a pretty good job of convincing visitors that these sites are the real deal (incidentally, you'll notice that some of the ads display the "real" URL of the program mentioned, but take you to a rogue site such as the "Download uTorrent Free" advert... which actually takes you to aciclistaciempozuelos(dot)es/torrent)... All of the malicious downloads are coming from en-softonic(dot)net... the fake Firefox file installs a rootkit, runs IE silently in the background attempting clickfraud and also performs Google redirects. Current VirusTotal score for that one is 16/44*, and we detect it as Win32.Malware!Drop. These adverts were also appearing in Yahoo search - we notified both Yahoo and Microsoft, and both companies are in the process of killing these things off. It's entirely possible these sites will show up somewhere else..."
(Screenshots available at the sunbeltblog URL above.)
* https://www.virustotal.com/file-scan...7aa-1316154205
File name: Backup.exe
Submission date: 2011-09-16 06:23:25 (UTC)
Result: 16/44 (36.4%)

[AplusWebMaster]

FYI...

Scare tactics used in malicious emails ...
- http://community.websense.com/blogs/...200_-spam.aspx
20 Sep 2011 - "... Websense... has detected that an email campaign broke out on 19th September, 2011. In this campaign, emails are spoofed to appear as though they are sent from established companies. The emails even formally claims that legal action will be taken because of the spam you have sent. These emails with the fake warning even attach a ZIP file that contains a scanned copy of a document that is supposed evidence of your spam... The spam outbreak uses several alerting subject headings to attract readers' attention. The ZIP file is actually an EXE file disguised as a document after decompression. It's a kind of Trojan.Downloader virus confirmed by VirusTotal*. When the trojan triggers, it copies itself to the system path under the Startup folder and deletes itself. Whenever you start the computer, the trojan will execute. This trojan can connect to remote servers and download malicious files... This campaign could potentially contain other variants of the trojan as attachments..."
(Screenshots available at the websense URL above.)
* https://www.virustotal.com/file-scan...b5b-1316594716
File name: 2166218
Submission date: 2011-09-21 08:45:16 (UTC)
Result: 29/44 (65.9%)
___

- http://community.websense.com/blogs/...ense-labs.aspx
22 Sep 2011

[AplusWebMaster]

FYI...

Fake transfers are latest Bank Heist ...
- http://www.trusteer.com/blog/fictiti...est-bank-heist
September 20, 2011 - "A number of banks, in an effort to validate and secure financial transactions, are utilising transaction verification systems. They’re doing this in the belief that, even if malware manages to change transaction details on the fly, the customer has an out of band channel to verify that it has not been modified. This is based on the assumption that malware cannot infect the out of band channel, and therefore the bank or the customer will be able to detect fraudulent transfers... the assumption that malware cannot influence the out of band channel is flawed. The easiest way to defeat transaction verification systems is using social engineering attacks. Over the years we've seen a number of different variants against transaction verification systems... Using malware fraudsters first gain control over the web channel. This means -any- information that customers view inside their browser, while connected to their bank, can be modified by the fraudsters. Unfortunately, customers are usually -unable- to distinguish whether what they are seeing was actually served by the bank, or in fact modified by malware! This is giving fraudsters the ability to launch extremely effective social engineering attacks. In the attack we've recently seen, fraudsters were simply waiting for customers to log on to their bank's website. The bank robber then ‘changed’ the content of the post login page, to a message, informing customers of an upgraded security system. The customer is invited to go through a training process that intends to help him/her deal with the bank's upgraded security system. As part of the training they’re asked to make a transfer, to a fictitious bank account, and confirm the transaction using the confirmation code that is sent by the bank to the registered mobile phone. Fraudsters claim that the user's account will not be debited and the recipient's account is fabricated... the transaction then happens, the money is transferred, and the criminal disappears off into the sunset..."
(More detail at the trusteer URL above.)

[AplusWebMaster]

FYI...

Japan - MHI hacked ...
- http://www.itpro.co.uk/636271/japan-...-cyber-war-now
21 Sep 2011 - "... Mitsubishi Heavy Industries, one of Japan’s major weapons suppliers, admitted 45 of its servers and 38 computer terminals were infected. Targeted malware was allegedly used as part of a spear phishing attempt – similar to other attacks that have attempted to breach Governments in recent times, including in the UK. RSA was compromised by such tactics too – another situation in which some suspected a nation state’s involvement, as at least one of the eventual targets turned out to be major US defence contractor Lockheed Martin... In the case of MHI, no one has yet claimed responsibility for the infection. China, the number one suspect according to some sources, has denied any involvement. As with so many recent cases, no nation has been found guilty, nor has any Government admitted to being the perpetrator of an attack. When the DigiNotar attacks emerged last month, eventually resulting in the certificate authority’s demise, many pointed fingers at Iran. Yet in that case, ComodoHacker claimed responsibility, saying the Iranian regime had no hand in the hacks. For any onlookers, it’s near to impossible to know whom to trust. There is just too much obfuscation and potential for covert behaviour to lump any event under the ‘cyber war’ umbrella... As information remains a hugely valuable commodity, and hacking becomes an increasingly useful tool for acquiring it, cyber war will still focus heavily on data, rather than causing real-world havoc. Both public and private organisations will therefore be targets... individuals will be affected. There will be civilian casualties too, in the data sense at least..."