Fake HijackThis Toolbar from Facebook
FYI...
Fake HijackThis Toolbar from Facebook
- http://www.symantec.com/connect/blog...olbar-facebook
May 2, 2010 - "SPAM emails... have been doing the rounds on the Internet hoping to lure recipients into downloading a Facebook toolbar... the file is neither a Facebook toolbar nor HijackThis. It's a malware detected by Symantec software as Trojan.Dropper..."
(Screenshots available at the URL above.)
- http://blog.trendmicro.com/fake-hija...erves-malware/
May 9, 2010
:fear::mad:
Phish/fraud via FedEx delivery...
FYI...
Phish/fraud via FedEx delivery...
- http://isc.sans.org/diary.html?storyid=8734
Last Updated: 2010-05-03 13:53:05 UTC - "... got a fedex envelope with an unexpected check over 2'850$, with him as recipient... called the issuing bank... and found out that the account against which the check was drawn had zero funds. The way this works is that the bad guys follow up the first letter with a second, where they apologize for the mistake, ask the victim to "wire back" 2500$ and "keep the 350$ for your trouble". If you go ahead with this, by the time the check bounces, you have wired the money, and wired money is gone or at least very very hard to get back. Given that the crooks incur quite some expense and risk in this scenario (fedex isn't cheap and often traceable back to the source) they must still be making a killing out of this scam. The second scheme is phishing via old-fashioned paper mail. You get a letter stating that "for security reasons" calling the bank now requires a pin code, included below. Follows a pin code of a length and complexity that makes it unlikely anyone would want to remember it, and two lines down, the helpful comment that the pin code can be changed by calling 1-800-whatever. You do so, and here's what happens next:
Voice: Please enter your account number, followed by the pound key [you type]
Voice: Please enter your current telephone access code [you type in the access code in the letter]
Voice: This access code is incorrect. Please try again. [you type - correctly again]
Voice: This access code is incorrect. Please hold for an operator. [you hold]
Operator: XYZ Bank, my name is QRS, how may I help you [you explain]
Operator: To identify you, we have to ask a couple of security questions. What are the last four digits of your social security number ?
Yep. You get the drift. After this exchange, they have everything they need. Lesson learned: Do not ever call "your bank" on a telephone number included in a letter, email or left on your voice mail. Get to know some employees at the bank branch you do business with, and call them with any questions you might have. Recognizing someone's voice beats a "security pin code" any day."
["This machine has no brain.
...... Use your own."]
:fear:
Completely fake Banking online...
FYI... "Welcome to: Completely fake Banking online"...
Corporate Identity Theft
- http://www.f-secure.com/weblog/archives/00001945.html
May 3, 2010 - "For online criminals, it's easy to gain access to stolen bank accounts and credit cards. What's much harder is to empty those accounts without getting caught. For this, criminals need money mules: individuals who are recruited to move the money. In many cases these individuals have no idea they are working for organized crime. When phishing and banking trojan victims realize they've lost their money, the tracks will lead to the money mules — not the real criminals. an example of an active money mule recruiting campaign. This one is done in the name of a company called Finha Capital... The website looks fairly credible and quick web search shows that indeed, there is a real company with this name, and it has been operating for decades... The problem is, finha-capital .com has nothing to do with Finha Capital Oy. The site is completely fake. The only reason the website finha-capital .com has been created is to use it as a front end to hire gullible end users to do online payments and to move money for the criminals. These guys are using the reputable brand of an existing company to fool people into their scam. And it's not just Finha Capital... Lessons to be learned?
• Realize that identity theft happens to companies as well as to individuals.
• If somebody offers you a work-for-home position that's too good to be true, it probably is.
• Do not move money for others.
• Check that you're really speaking with who you think you're speaking."
(Screenshots available at the F-secure URL above.)
:fear::mad:
US Treasury sites compromised
FYI...
US Treasury websites compromised
- http://community.websense.com/blogs/...mpromised.aspx
4 May 2010 - "A few of the US Treasury websites were compromised today and loaded a hidden iframe containing exploit code to anyone who visited the following three sites:
* bep .gov
* bep.treas .gov
* moneyfactory .gov ...
This iframe loads a page from gr[REMOVED]ad .com (hosted in Turkey) which in turn redirects to si[REMOVED]e-g .com/jobs/ (hosted in The Netherlands) which is where the exploits are hosted. In this case it's the Eleonore Exploit Kit that is used which has support for several vulnerabilities in Adobe Reader, Flash, Internet Explorer etc... the exploit kit pushes a malicious PDF to the user which exploits a vulnerability in Adobe Reader. At the time of writing only 20% of all AV vendors detected that file*..."
(Screenshots and video available at the Websense URL above.)
* http://www.virustotal.com/analisis/9...e63-1272930681
File mal.pdf received on 2010.05.03 23:51:21 (UTC)
Result: 8/40 (20.00%)
U.S. Treasury Site Compromise linked to NetworkSolutions Mass WordPress Blogs Compromise
- http://ddanchev.blogspot.com/2010/05...linked-to.html
May 04, 2010
- http://thompson.blog.avg.com/2010/05...te-hacked.html
May 03, 2010
- http://pandalabs.pandasecurity.com/u...g-exploit-kit/
05/4/10
- http://forums.spybot.info/showpost.p...3&postcount=19
May 5, 2010
:fear::mad::fear:
iTunes giftcard Phish/SCAM ...
FYI...
iTunes giftcard Phish/SCAM ...
- http://sunbeltblog.blogspot.com/2010...-giftcard.html
May 05, 2010 - "... should the victim hit “Download program”, they’re taken to the endless advert loop of doom from the fake Facebook Hack website*. All in all, a rather horrible thing to fall for – so don’t!"
* http://sunbeltblog.blogspot.com/2010...k-website.html
May 05, 2010
(Screenshots available at both URLs above.)
- http://community.websense.com/blogs/...ware-spam.aspx
7 May 2010
** http://www.virustotal.com/analisis/0...9ea-1273193875
File ITUNES_C.EXE received on 2010.05.07 00:57:55 (UTC)
Result: 8/41 (19.51%)
- http://www.sophos.com/blogs/gc/g/201...rries-malware/
May 10, 2010
:mad:
Malicious .SWF file ...DoS attack
FYI...
Malicious .SWF file may trigger a DoS attack
- http://blog.trendmicro.com/malicious...-a-dos-attack/
May 7, 2010 - "... Shockwave Flash (.SWF) file that displays an image and downloads a worm with code capable of initiating a denial-of-service (DoS) attack. The file detected as SWF_PALEVO.KK is hosted on a malicious site and runs whenever users access the site. Once loaded, it displays a screenshot of a YouTube video. The said image, however, is embedded with a malicious link... Clicking the image leads users to a malicious site (http://www.{BLOCKED}com.com/{BLOCKED}layer10.0.45.2.exe) to download a file detected by Trend Micro as WORM_PALEVO.KK. Upon execution, the worm displays a fake dialog box purporting to be an Adobe Flash Player installation with instructions in French. Clicking -any- of the given choices leads to the execution of the malware on the affected system... Apart from infecting users’ systems, however, WORM_PALEVO.KK can also initiate a DoS attack that can disable a website, shut down a network, or disrupt a service. This attack is initiated by a remote server that is controlled by a malicious user. The worm receives commands from the remote server to perform several actions such as downloading other malware, downloading updates of itself, and launching a SYN flood attack against target systems. It can also spread and infect a large number of systems since it propagates using MSN Messenger and peer-to-peer (P2P) applications. The variants WORM_PALEVO.KK and SWF_PALEVO.KK are detections related to the the Mariposa botnet. Users are strongly advised -against- visiting suspicious-looking sites and clicking the links and images found in them..."
:fear::mad:
Koobface gang - inside Facebook...
FYI...
Koobface gang... (inside Facebook) scareware serving compromised sites
- http://ddanchev.blogspot.com/2010/05...scareware.html
May 08, 2010 - "... Immediately after the suspension of their automatically registered Blogspot accounts, the gang once again proved that it has contingency plans in place, and started pushing links to compromised sites, in a combination with an interesting "visual social engineering trick", across Facebook, which sadly works pretty well, in the sense that it completely undermines the "don't click on links pointing to unknown sites" type of security tips... This active use of the "trusted reputation chain", just like the majority of social engineering centered tactics of the gang, aim to exploit the ubiquitous weak link in the face of the average Internet user... Clicking on this link inside Facebook leads to... a Koobface bogus video...
* Detection rates:
- setup.exe - Mal/Koobface-E; W32/VBTroj.CXNF - Result: 7/41 (17.08%)
- RunAV_312s2.exe - VirTool.Win32.Obfuscator.hg!b (v); High Risk Cloaked Malware - Result: 4/41 (9.76%) ..."
(More detail and info links at the //ddanchev URL above.)
:fear::mad:
Google Groups - malicious SPAM...
FYI...
Google Groups - malicious SPAM...
- http://www.m86security.com/labs/i/Go...race.1338~.asp
May 9, 2010 - "... large scale spam campaign, with links leading to Fake Anti-virus "scareware". The spam is originating from the Pushdo botnet, which is notorious for these sorts of malicious campaigns. The spam is not that unusual, rather it comes disguised as an 'administrator' message suggesting your mailbox settings need to be updated... The links all lead to various Google Groups pages where files called setup.zip have simply been uploaded by the attackers..."
(Screenshot available at the URL above.)
:fear::fear:
Fake Win7 compatibility checker - more malware in SPAM
FYI...
Fake Win7 compatibility checker - more malware in SPAM...
- http://www.theregister.co.uk/2010/05/11/win7_trojan/
11 May 2010 - "... The malware comes as a zip-based attachment to email messages supposed offering "help" on upgrading Windows boxes. But this "Windows 7 Upgrade Advisor Setup" assistant offers only a Trojan, instead of the promised compatibility checking tool. Windows users who open and run the application end up with systems compromised with a backdoor that allows hackers to insert other viruses and spyware... The main lessons from the attack are that the contents of unsolicited messages are best ignored and, secondly, that virus writers are always trying out new social engineering tricks to dupe the unwary..."
:mad: