SPAM frauds, fakes, and other MALWARE deliveries - archive

[AplusWebMaster]

FYI...

Bogus ‘Balance Checker’ tool carries malware
- http://blog.trendmicro.com/bogus-bal...rries-malware/
Nov. 14, 2009 - "... received samples of spammed messages that purports to come from mobile phone companies, Vodafone and Verizon Wireless. The email messages carry the subject, “Your credit balance is over its limits” and inform users that their credit balance is due. To be able to review the payments, users should employed the balance checker tool attached in the email... When users opened the attached .ZIP file, they won’t find any ballance checker tool and instead will get a malicious file (balancechecker.exe) detected by Trend Micro as TSPY_ZBOT.SMP. TSPY_ZBOT.SMP steals online banking credentials such as usernames and passwords. This stolen information may be used by cybercriminals for other fraudulent activities. It also disables the Windows Firewall and has rootkit capabilities for difficult detection and removal. Users are strongly advised not to open any suspicious-looking emails even it comes from a known source. It also good to verify first any email coming from your mobile services provider just to be sure if it is legitimate or not..."

[AplusWebMaster]

FYI...

Online criminals cash in on swine flu
- http://www.sophos.com/blogs/gc/g/200...ssian-hackers/
November 16, 2009 - "As the number of reported swine flu cases climbs, it's time a strong message was sent out against buying Tamiflu over the internet. Research published by Sophos* exposes the profit model of the Russian cybercriminals making millions of pounds from counterfeit Tamiflu. Panic-induced stockpiling by individuals who aren't officially classified as being at risk of contracting swine flu, and therefore anxious they won't receive Tamiflu from the NHS, will not only line cybercriminals' pockets with millions of pounds in cash but also grant them access to sensitive personal data to be used for other crimes... The criminal gangs working behind the scenes at fake internet pharmacies are putting their customers' health, personal information and credit card details at risk. They have no problem breaking the law to promote these websites, so you can be sure they'll have no qualms in exploiting your confidential data or selling you medications which may put your life in danger. If you think you need medication contact your real doctor, and stay away from quacks on the internet..."
* http://www.sophos.com/sophos/docs/en...2009-paper.pdf
"... The ‘Canadian Pharmacy’ group now holds the number one position in the Spamhaus Top 10 spammers list... Searching for GlavMed’s support number reveals over 120,000 online pharmacy sites..."

[AplusWebMaster]

FYI...

Payment Request SPAM contains malware
- http://blog.trendmicro.com/payment-r...tains-malware/
Nov. 18, 2009 - "TrendLabs researchers received spammed messages purporting to have come from various companies such as eBay, J.P. Morgan Chase and Co., and Colgate-Palmolive, among others. The email bore the subject, “Payment request from,” and informs users about a certain recorded payment request... The spammed message even gave users two options—to either ignore the email if the payment request has been made or to download the attached .ZIP file and install the inspector module to decline the said payment request. If the user does not make any transaction, he/she still needs to download the attachment just to cancel the payment request. The attached .ZIP file is, of course, not an inspector module but an .EXE file (module.exe) detected by Trend Micro as TROJ_AGENTT.WTRA. Users are advised to be wary before opening -any- attached files even if they come from known sources. It is also best to verify emails you receive from any company first just to be sure it is legitimate..."

(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

FDA targets online pharmacy counterfeits
- http://www.theregister.co.uk/2009/11...armacy_action/
20 November 2009 - "The US Food and Drug Administration said it has completed a sweep of illegal online pharmacies that targeted 136 websites that appeared to be illegally selling drugs to American consumers... Websites peddling Viagra, steroids and other pharmaceuticals have emerged as a major source of spam over the past few years. In addition to clogging inboxes, the sites can put customers' health at risk because the drugs are frequently counterfeits. According to a study released in August, almost 90 percent of online drugstores advertised on Microsoft's Bing search engine violated federal and state laws... The FDA said the notices* sent to service providers and registrars may give them grounds to terminate service to their customers."
* http://www.fda.gov/NewsEvents/Newsro.../ucm191330.htm

> http://www.fda.gov/ForConsumers/Cons.../ucm048396.htm

- http://forums.spybot.info/showpost.p...&postcount=174

[AplusWebMaster]

FYI...

SPAM/phish/malware Zbot all-in-one
- http://www.pcgenius.com/uncategorize...alware-attack/
November 24, 2009 — "Email security experts at Red Condor issued a warning about the latest spam campaign that contains a phishing ploy and a malware threat. The email requests that recipients click on a link in the body of the email to update the “security mode” of their email box. Users that click on the link are taken to a web site that recommends that they update to the latest version of the Macromedia Flash Player by downloading “flashinstaller.exe.” The executable is actually a banking Trojan that is known to disable firewalls, steal sensitive financial data and provide hackers with remote access capabilities. The malware is more commonly known as Win32:Zbot-MGA (Avast), W32/Bifrost.C.gen!Eldorado (F-Prot), PWS-Zbot.gen.v (McAfee) or PWS:Win32/Zbot.gen!R (Micorsoft). The spam campaign was detected late on November 20, 2009, and within the first six hours, Red Condor had blocked more than 500,000 emails..."

[AplusWebMaster]

FYI...

Another ZBOT SPAM run
- http://blog.trendmicro.com/another-zbot-spam-run/
Nov. 27, 2009 - "... another ZBOT spam campaign. The emails bear subjects such as “your photos” and “some jerk has posted your photos.” They inform the recipients that someone has posted their photos without their permission on a site and has sent the link to their friends. The recipient is intended to believe that the “sender” is acting as a “good samaritan,” emailing the one who supposedly posted the said pictures. The URL, of course, points to a website that distributes a malware detected by Trend Micro as TSPY_ZBOT.CJA... When executed TSPY_ZBOT.CJA connects to several websites to download another malicious file detected as TROJ_DROPR.KB. The spyware also has rootkit capabilities that enable it to hide its processes. ZBOT/ZeuS is one of the most notorious botnets with regard to identity, financial, and information theft. Users are strongly advised not to open emails from unknown sources..."

(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

Koobface using Christmas theme
- http://securitylabs.websense.com/con...erts/3505.aspx
11.30.2009 - "Websense... has discovered that the Koobface malware campaign is now using a Christmas theme. Recent developments by Koobface have included use of Google Reader. The Koobface Web site offers a video posted by 'SantA'. The usual ruse of requiring a codec to watch the video is used, to encourage the user to install and run a file called setup.exe (SHA1:a2046fc88ab82abec89e150b915ab4b332af924a). This file is currently detected by 16 out of 41 antivirus products according to VirusTotal*. On the compromised Facebook page the user is presented with a link to ch[removed]cher .ch which is a compromised site in Switzerland. The user is -redirected- to one of several Koobface Web sites through a malicious Flash movie file hosted on the compromised site. If the user runs the infected file, the worm will automatically login to their Facebook, Myspace, and several other social networking sites and send messages to all their friends..."
* http://www.virustotal.com/analisis/5...8af-1259587988
File setup.exe received on 2009.11.30 13:33:08 (UTC)
Result: 16/41 (39.02%)

(Screenshots available at the Websense URL above.)

[AplusWebMaster]

FYI...

Zeus bot SPAM fakes CDC request
- http://www.symantec.com/connect/blog...ches-swine-flu
December 1, 2009 - "... the Zeus bot crew... latest offering comes in the guise of an email purporting to come from the CDC (Center for Disease Control). The email contains a link to a bogus Web page that is made to look like an official CDC page... The content of the page asks you to create a profile that will then enable you to get the H1N1 flu vaccine... The subject lines used in the emails are quite variable; for example, the following have been seen:
• Instructions on creation of your personal Vaccination Profile
• Governmental registration program on the H1N1 vaccination
• Your personal Vaccination Profile
The domain used in these email links has the format of online.cdc.gov.[RANDOM CHARS].[TLD NAME].im
For example:
• online.cdc.gov.yhnbad.com.im
• online.cdc.gov.yttt4r.org.im
• online.cdc.gov.yhnbam.co.im
As is usually the case with these campaigns, the URL that is supposed to be a document actually leads to an executable file. This one is named vacc_profile.exe* and is detected by Symantec as Infostealer.Banker.C. Incidentally, the URL is also “personalized” with the email address of the recipient to make it look that little bit more authentic and less like mass-mailed spam..."

(Screenshots available at the Symantec URL above.)

- http://ddanchev.blogspot.com/2009/12...swine-flu.html
December 02, 2009

* http://www.virustotal.com/analisis/4...227-1259719511
File vacc_profile.exe received on 2009.12.02 02:05:11 (UTC)
Result: 14/41 (34.15%)

- http://www.threatexpert.com/report.a...12da03f4f376ad
1 December 2009

- http://www.us-cert.gov/current/#h1n1...gn_circulating
December 2, 2009

[AplusWebMaster]

FYI...

Malware - Facebook pwd reset SPAM
- http://isc.sans.org/diary.html?storyid=7729
Last Updated: 2009-12-10 18:09:17 UTC - "... email today purporting to be from Facebook, which of course had an attachment. The file was Facebook_Password_833fd.zip*, which unzipped to be Facebook_Password_833fd.exe. The zip file is in fact a zip file, and the exe is in fact MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit (according to the file command). The subject line is "Facebook Password Reset Confirmation. Customer Support"... Which is an attempt to get you to first open the attachment, unzip the file, and then run the executable content... First set of Virustotal results were 20/41 today at 01:30:12 (UTC) https://www.virustotal.com/analisis/...322-1260408612 when I ran it again at 17:49:06 (UTC) they were up to 26/41 detection. It is a dropper which subsequently downloads and executes other badness.
Facebook does not send out passwords in attached files. If you have forgotten your password on Facebook reset it here: http://www.facebook.com/reset.php if you cannot login to your account (someone else has taken it over) go to this page: http://www.facebook.com/help.php?topic=login, which also has this advisory on it:
"Fake password reset emails
Some users have received fake password reset emails with attachments that contain viruses. Do not click on these emails or download the attachment. Also, please note that Facebook will -never- send you a new password as an attachment. To learn more visit our Security page:
http://www.facebook.com/security ..."

[AplusWebMaster]

FYI...

Phish for FTP pwd's...
- http://www.symantec.com/connect/blog...tp-credentials
December 11, 2009 - "... attackers are targeting the FTP credentials of websites. The messages appear to come from various trusted Web hosting providers. So far we have observed that users of over 100 Web hosting providers are being targeted by this attack. The attackers asks users to click on the link provided in the spam message, which will lead the users to open an “FTP access confirmation” page where the FTP credentials of the recipients are stolen. Attackers use a phishing cPanel page to do this (cPanel* is a Web hosting administration tool)... The phishing URL contains a user’s email address and the domain name of a Web hosting service provider. Once FTP credentials are entered and submitted by clicking the “Confirm FTP Access” button, users are directed to their hosting site that is specified in a “service=” tag. Example:
http ://cpanel.[removed]. me.uk/scripts/cpanel-ftp-confirmation.php?session=[removed]&email=[removed]&service=[hosting domain name]
Giving up FTP details may lead to a further loss of confidential data, the hosting of illegal websites (child pornography sites, phishing sites, etc.), and/or delivery of malware to the victim's computer by the attacker..."
* http://www.cpanel.net/



Visa targeted by ZBOT phish/SPAM
- http://blog.webroot.com/2009/12/11/v...zbot-phishers/
December 11, 2009 - "... targeting Visa with a fake email alert that leads to a page hosting not only a Trojan-Backdoor-Zbot installer, but that performs a drive-by download as well. This is the second time in less than a month that malware distributors have targeted Visa... we saw a similar scam involving links to bunk Verified By Visa Web pages... malware distributors are using fraudulent transaction warnings as a method to infect users with a keylogger capable of stealing their credit card information when the victim enters it into a shopping Web site, but Visa doesn’t issue these kinds of warnings—the Visa-card-issuing bank warns customers of suspected fraud themselves, and they never do anything with that level of urgency via email... As in earlier iterations of this scam, Zbot isn’t just interested in transaction details or Website logins. Zbot also steals the login credentials for virtually every Windows FTP client application — the tools that Web designers and other website administrators use to upload files to Web sites. FTP logins are far more valuable, because it gives the malware distributors another means to spread their code onto the Web. If you’ve been wondering why so many otherwise legitimate Web sites seem to be getting hacked, and having malicious code uploaded to Web sites belonging to small businesses, private individuals, and others, this is why: Zbot is taking those passwords, and handing them off to people who trade not only in malicious code, but in abusing the good reputations of legitimate Website owners or the people who help manage them.
Don’t be a victim: Don’t follow the link in the message. Don’t download the “statement” on the page. If you see a page that looks like the screen above*, immediately kill your browser and scan your computer for Zbot. The drive-by download component of this scam means you could be infected merely by visiting the page using a vulnerable browser. Most importantly, if you suspect a credit card fraud report email may be real, pick up the telephone and call the number on the back of your card."
* Screenshot available at the Webroot URL above.

M86 Security
- http://www.m86security.com/labs/i/Pu...race.1207~.asp
December 14, 2009