SPAM frauds, fakes, and other MALWARE deliveries - archive

[AplusWebMaster]

FYI...

Zeus P2P variant exploits... steal Debit Card Data
- https://www.trusteer.com/blog/zeus-p...ebit-card-data
May 15, 2012 - "... recently discovered a series of attacks being carried out by a P2P variant of the Zeus platform against some of the internet’s leading online services and websites. The attacks are targeting users of Facebook, Google Mail, Hotmail and Yahoo – offering rebates and new security measures. The scams exploit the trust relationship between users and these well-known service providers, as well as the Visa and MasterCard brands, to steal users’ debit card data. In the first attack against Facebook, the malware uses a web inject to present the victim with a fraudulent 20% cash back offer by linking their Visa or MasterCard debit card to their Facebook account. The scam claims that after registering their card information, the victim will earn cash back when they purchase Facebook points. The fake web form prompts the victim to enter their debit card number, expiration date, security code, and PIN...
> https://www.trusteer.com/sites/defau...e%20inject.png
Malware web inject presented to Facebook users ^
... In the attacks against Google Mail, Hotmail and Yahoo users, Zeus offers an allegedly new way of authenticating to the 3D Secure service offered by the Verified by Visa and MasterCard SecureCode programs. To complete an online transaction many merchants require cardholders to authenticate using their personal 3D Secure password... The scam that targets Google Mail and Yahoo users claims that by linking their debit card to their web mail accounts all future 3D Secure authentication will be performed through Google Checkout and Yahoo Checkout respectively... The victim is prompted to enter their debit card number, expiration date, security code, and PIN... leveraging the Verified by Visa and MasterCard SecureCode brands to make the scam more credible.
> https://www.trusteer.com/sites/defau...e%20inject.png
Malware web inject presented to Gmail users ^
> https://www.trusteer.com/sites/defau...e%20inject.png
Malware web inject presented to Yahoo users ^
... The attack against Hotmail users is similar to the Google Mail and Yahoo scam... The offer states that the service will prevent purchases from being made on the internet with the card unless the Hotmail account information and additional password are provided. The webinject requests the same information (debit card number, expiration date, security code, and PIN) as in the previous two scams.
> https://www.trusteer.com/sites/defau...e%20inject.png
Malware web inject presented to Microsoft Hotmail users ^
... These webinjects* are well crafted both from a visual and content perspective, making it difficult to identify them as a fraud... the fraudsters are using the fear of the very cybercrime they are committing to prey on their victims."
* http://www.trusteer.com/blog/webinje...rground-market

[AplusWebMaster]

FYI...

If you see ads on Wikipedia, your computer is probably -infected- with malware
- https://blog.wikimedia.org/2012/05/1...ected-malware/
May 14, 2012 - "We -never- run ads on Wikipedia. Wikipedia is funded by more than a million donors, who give an average donation of less than 30 dollars. We run fundraising appeals, usually at the end of the year. If you’re seeing advertisements for a for-profit industry... or anything but our fundraiser, then your web browser has likely been infected with malware ...
> https://blog.wikimedia.org/wp-conten...it-700x273.jpg
One example that we have seen installs itself as a browser extension. The extension is called “I want this” and installs itself in Google Chrome. To remove it:
- Open the options menu via the “pipe-wrench” icon on the top right, and choose Settings.
- Open the Extensions panel and there is the list of extensions installed.
- Remove an Extension by clicking the Remove button next to an item.
There is likely other similar malware that injects ads into Chrome, Firefox, Internet Explorer and other popular browsers... Ads injected in this manner may be confined to some sites, even just to Wikipedia, or they may show up on -all- sites you visit. Browsing through a secure (HTTPS) connection (which you can automate using the HTTPS everywhere extension**) may cause the ads to disappear, but will -not- fix the underlying problem. Disabling browser add-ins is a good starting point to determine the source of these types of ads. This does not necessarily fix the source of the problem either, as malware may make deep changes to your operating system. If you’re comfortable attempting a malware scan and removal yourself, there are various spyware/malware removal tools. Popular and well-reviewed solutions include Ad-Aware and Malwarebytes... If in doubt, have your computer evaluated for malware by a competent and qualified computer repair center. There is one other reason you might be seeing advertisements: Your Internet provider may be injecting them into web pages. This is most likely the case with Internet cafes or “free” wireless connections. This New York Times blog post by Brian Chen gives an example*. But rest assured: you won’t be seeing legitimate advertisements on Wikipedia. We’re here to distribute the sum of human knowledge to everyone on the planet — ad-free, forever..."
* http://bits.blogs.nytimes.com/2012/0...marriott-wifi/

** https://www.eff.org/https-everywhere/
___

- https://krebsonsecurity.com/2012/05/...er-extensions/
May 21, 2012

[AplusWebMaster]

FYI...

621 "Most Visited" sites are on Google's Black List
- https://threatpost.com/en_us/blogs/h...ck-list-051512
May 15, 2012 - "Legitimate Web sites that have been -hijacked- and used to serve malicious content greatly -outnumber- malicious sites on a list of the most-trafficked sites on Google's blacklist, according to analysis by security firm Zscaler*..."

* http://research.zscaler.com/2012/05/...acklisted.html
"Google Safe Browsing is the most popular security blacklist in use. It is leveraged by Firefox, Safari and Google Chrome. As such, being blacklisted by Google is a big deal - users of these three browsers are warned not to visit the sites and Google puts warnings in their search results... I've run Google Safe Browsing against the top 1 million (based on number of visits) websites according to Alexa. 621 of them are blacklisted by Google Safe Browsing. I've looked at the most popular to understand why they are considered malicious (charted at the Zscaler URL above). Most of the top-ranked websites that have been blacklisted are not malicious by nature, but they have been hijacked. Malicious JavaScript, similar to the code we found on a French government website, or a malicious IFRAME is generally the culprit. It is interesting to notice that Google decided to blacklist the infected site, rather than just blocking the external domain hosting the malicious content. I have also checked to see which country the blacklisted domain is hosted in. Here is the breakdown:
> http://1.bp.blogspot.com/-_Jj9WdVe8B...er-country.png
... Most of the blacklisted sites are hosted in the US. Western Europe (especially Germany, France and the Netherlands) is number two, followed by China (8%)... Windows users with Internet Explorer 6 and 7 users get the old "iepeers.dll" exploit (a different version for each browser). No site is safe from hijacking. Personal websites and top-10,000 sites are all likely to be infected at some point."

[AplusWebMaster]

FYI...

Facebook worm spreads via Private Messages, Instant Messengers
- http://blog.trendmicro.com/worm-spre...nt-messengers/
May 17, 2012 - "... recently received reports about private messages found on Facebook and distributing a link, which is a shortened URL pointing to an archive file “May09-Picture18.JPG_www .facebook .com.zip”. This archive contains a malicious file named “May09-Picture18.JPG_www .facebook .com” and uses the extension “.COM”. Another noteworthy routine is that this worm downloads and executes another worm, one detected as WORM_EBOOM.AC. Based on our analysis, WORM_EBOOM.AC is capable of monitoring an affected user’s browsing activity such as message posting, deleted posted messages and private messages sent on the following websites such as Facebook, Myspace, Twitter, WordPress, and Meebo. It is also capable of spreading through the mentioned sites by posting messages containing a link to a copy of itself. Facebook and IM applications are tools to share and connect. Cybercriminals’ use of these tools is nothing new, but there are users who fall prey to these schemes. We recommend users to be conscious with their online behavior, in particular on social media sites*..."
* http://about-threats.trendmicro.com/...cialmedia-101/

[AplusWebMaster]

FYI...

Bogus Pinterest pins lead to Survey Scams
- http://blog.trendmicro.com/bogus-pin...-survey-scams/
May 18, 2012 - "The continuing increase in visitors to the Pinterest site may be a primary cause why it’s becoming a hit for cybercriminals’ scams and schemes. In March, we spotted scammers using popular brands to lure users into “pinning” fake posts that led to surveys scams... new wave of survey scams found came from search using “pinterest” as keyword... Upon clicking the link, users are -redirected- to a Pinterest-like webpage offering prizes, vouchers, gift cards and others... Made to resemble like a typical Pinterest webpage, the fake site features a search field, add+, an about. However, these are mere images and are -not- clickable... After a user fills out the fields required in the scam page, users are also required to enter their mobile numbers. Users who do provide their numbers will receive a code on their mobile phones and will continue to receive unwanted messages, charges and other scams via text message... the fake site requires an email address...
> http://blog.trendmicro.com/wp-conten...t_repins_4.jpg
Users entering their email addresses are brought to complete several steps to get the supposed offer. Users receive an email claiming to be from Pinterest. The email urges the user to click on the link found in the message body to confirm the subscription. Clicking on the link redirects the user to a Pinterest-like scam page. Again, all the clickable links lead to the same scam pages..."

[AplusWebMaster]

FYI...

ZeuS ransomware feature: win_unlock
- https://www.f-secure.com/weblog/archives/00002367.html
May 21, 2012 - "... new variant of ZeuS 2.x. It includes a new backdoor command called: win_unlock... this slightly modified ZeuS 2.x includes a ransomware feature. When this particular variant is executed, it opens Internet Explorer with a specific page (lex.creativesandboxs .com/locker /lock.php) and prevents the user from doing anything else with the infected system. The webpage that was opened presumably showed some type of extortion message, but it's currently unavailable because the site is offline. The most straightforward way to unlock the system is to simply delete the trojan. This can be a bit tricky since the trojan prevents doing anything with the infected system, luckily the locking itself can be easily disabled first. Looking at the code that corresponds with a received win_unlock command, it's clear the unlock information is stored to the registry. Unlocking can therefore be performed quite easily with a registry editor:
1. boot the system in safe mode
2. add a new key named syscheck under HKEY_CURRENT_USER
3. create a new DWORD value under the syscheck key
4. set the name of the new DWORD value to Checked
5. set the data for the Checked value to 1
6. reboot
SHA1: 03f0c26c6ba77c05152a1e0cc8bc5657f0c83119 ..."

[AplusWebMaster]

FYI...

Facebook cancellation malware poses as Flash update
- http://nakedsecurity.sophos.com/2012...-flash-update/
May 21, 2012 - "Have you received an email asking you to confirm that you wish to cancel your account? Be on your guard... reader was in touch with us earlier today, after his suspicions were aroused by an email he had received - seemingly from Facebook. Malicious email claiming to come from Facebook
Hi [email address]
We are sending you this email to inform you that we have received an account cancellation request from you. Please follow the link below to confirm or cancel this request
Thanks,
The Facebook Team
To confirm or cancel this request, follow the link below:
click here
... The link doesn't point to an official Facebook page, but a third-party application running on the Facebook platform. Of course, that means that the link -does- go to a facebook .com address - something might fool those who are not cautious. The first thing you're likely to encounter if you did click on the link is a message asking you if you want to allow an unknown Java applet to run on your computer... they're pretty insistent that you allow it.. If you hit the "No thanks" button they'll just carry on pestering you to allow the Java applet to run... They know that people value their Facebook accounts highly, and many would be upset to lose access to them and the digital connections they have built up with friends and family... If you do allow the applet to run, you will see a message telling you that Adobe Flash must be updated... the code that is downloaded is not really Adobe Flash at all. Instead, the program drops additional files into your /WIN32 folder, which have the intention of allowing remote hackers to spy on your activities and take control of your computer..."

[AplusWebMaster]

FYI...

'LinkedIn Invitation’ SPAM serving exploits and malware
- http://blog.webroot.com/2012/05/22/o...s-and-malware/
May 22, 2012 - "... another round of malicious emails to millions of end and corporate users.
More details:
Once the user clicks on the link (hxxp ://hseclub .net/main.php?page=d72ac4be16dd8476), a client-side exploit, CVE-2010-1885 in particular, will attempt to drop the following MD5 on the affected host, MD5: 66dfb48ddc624064d21d371507191ff0
Upon execution the sample attempts to connect to the following hosts:
• janisjhnbdaklsjsad .ru:443 with user janisjhnbdaklsjsad .ru and password janisjhnbdaklsjsad .ru – 91.229.91.73, AS50939, SPACE-AS
• sllflfjsnd784982ncbmvbjh434554b3 .ru – 91.217.162.42, AS29568, COMTEL-AS
• kamperazonsjdnjhffaaaae38 .ru – 91.217.162.42, AS29568, COMTEL-AS
• iiioioiiiiooii2iio1oi .ru – 91.217.162.42, AS29568, COMTEL-AS
Another malware with MD5: 4b1fce0f9a8abdcb7ac515d382c55013 is known to have used one of these C&C domains in the past, janisjhnbdaklsjsad .ru in particular..."
> https://webrootblog.files.wordpress....ts_malware.png
___

- http://www.google.com/safebrowsing/d...?site=AS:50939
"... this network has hosted sites that have distributed malicious software in the past 90 days. We found 26 site(s)... that infected 42 other site(s)..."

- http://www.google.com/safebrowsing/d...?site=AS:29568
"... this network has hosted sites that have distributed malicious software in the past 90 days. We found 668 site(s)... that infected 544 other site(s)..."

[AplusWebMaster]

FYI...

Trojan bypasses mobile security to steal from Online Banking users ...
- https://www.trusteer.com/blog/tatang...-users-germany
May 22, 2012 - "... a complex new criminal scheme involving the Tatanga Trojan that conducts an elaborate Man in the Browser (MitB) attack to bypass SMS based transaction authorization to commit online banking fraud. The scam targets online banking customers of several German banks. When the victim logs on to the online banking application, Tatanga uses a MitB webinject that alleges the bank is performing a security check on their computer and ability to receive a Transaction Authorization Number (TAN) on their mobile device. In the background, Tatanga initiates a fraudulent money transfer to a mule account. It even checks the victim’s account balance, and will transfer funds from the account with the highest balance if there is more than one to choose from. The victim is asked to enter the SMS-delivered TAN they receive from the bank into the fake web form, as a way to complete this security process. By entering the TAN in the injected HTML page the victim is in fact approving the fraudulent transaction originated by Tatanga against their account. Even though the victim is presented with the fund transfer amount and the destination account information in the SMS message that contains the TAN, the injected HTML page claims that the process uses “experimental” data and that no money will leave their account... Once the victim enters the TAN in the fake form and hits submit, the funds are transferred to the fraudster’s account. Meanwhile, Tatanga modifies the account balance reports in the online banking application to hide the fraudulent transaction... By combining a MitB attack and social engineering, Tatanga is able to circumvent out-of-band authentication used by many banks. Then it goes one step further by hiding evidence of the fraudulent transaction from the victim using a post transaction attack mechanism. Fortunately, the text in the injected HTML page is littered with grammar and spelling mistakes and appears not to have been written by a German speaker... they are blending multiple attack methods in a single fraud scam... However, they still need to compromise the endpoint with malware, which can be prevented."

[AplusWebMaster]

FYI...

Flame: Questions and Answers
- https://www.securelist.com/en/blog/2...ns_and_Answers
May 28, 2012 - "... Flame shares many characteristics with notorious cyber weapons Duqu and Stuxnet: while its features are different, the geography and careful targeting of attacks coupled with the usage of specific software vulnerabilities seems to put it alongside those familiar ‘super-weapons’ currently deployed in the Middle East by unknown perpetrators. Flame can easily be described as one of the most complex threats ever discovered. It’s big and incredibly sophisticated. It pretty much redefines the notion of cyberwar and cyberespionage..."
(More detail at the kaspersky URL above.)

> https://www.securelist.com/en/images.../208193524.png

- http://www.symantec.com/connect/blog...ts-middle-east
May 28 2012 - "... Several component files have been identified. These are:
• advnetcfg.ocx
• ccalc32.sys
• mssecmgr.sys
• msglu32.ocx
• boot32drv.sys
• nteps32.ocx ..."

- https://www.f-secure.com/weblog/archives/00002371.html
May 28, 2012
> https://www.f-secure.com/weblog/archives/flame.png

- http://community.websense.com/blogs/...-skywiper.aspx
29 May 2012
___

- http://www.symantec.com/connect/blog...ture-w32flamer
30 May 2012 - "... Full understanding of W32.Flamer requires analyzing each of the approximately 60 embedded Lua scripts, reversing each of the sub-components, and then building this all back together..."
___

UN to warn member nations on risk of Flame virus
- http://atlas.arbor.net/briefs/index#-264998726
Severity: Elevated Severity
May 30, 2012
Analysis: ... the threat from this malware or any other malware with the same types of capabilities can be significant, depending upon the motives of those driving the attack campaigns. Nation states may be involved and using this toolkit for spying purposes, but there is no clear attribution at this stage.
Source: http://www.reuters.com/article/2012/...8GT7X120120529