SPAM frauds, fakes, and other MALWARE deliveries - archive

[AplusWebMaster]

FYI...

- http://www.theregister.co.uk/2009/01...are_spam_scam/
19 January 2009

- http://preview.tinyurl.com/79ay3a
17 January 09 (PandaLabs blog) - "Today we discovered a botnet controlled, fast-flux operated malware campaign impersonating the United States President-elect Barack Obama’s website. The fake website looks just like the real thing and attempts to bait viewers into clicking a story entitled, “Barack Obama has refused to be a president”. When the user clicks on the link, the malware (W32\Iksmas.A.worm) begins to download all of the necessary files needed to host the fake site on the victims computer... The attack appears to have originated from China as the domains were purchased from a Chinese domain registrar called XINNET TECHNOLOGY CORPORATION. Xinnet has a history of abuse problems and we have contacted them to remove the domain names... The file names of the malware are:
• doc.exe , statement.exe , obamaspeech.exe , blog.exe , barack.exe , usa.exe , baracknews.exe , pdf.exe , news.exe , obamasblog.exe , barakblog.exe , statement.exe , president.exe , obamanews.exe ..."

[AplusWebMaster]

FYI...

Inauguration Themed Waledac - New Tactics & New Domains
- http://www.shadowserver.org/wiki/pmw...endar.20090119
January 19, 2009 - "...the Inauguration of Barack Obama and the Waledac trojan has been in full swing attempting to take advantage of the event. Since late last week the trojan has been blasting its way across the Internet with e-mails attempting to bring unwitting users to a page that looks a lot like the official Barack Obama website. The page is updated each day to appear to have a new blog entry... As always do NOT visit these domains as they are malicious and hosting exploit code... Click here* for a full listing of Waledac domains that we are aware of - this link will be updated as we get them. Your best bet is to block these domains or otherwise avoid them..."
* http://www.shadowserver.org/wiki/upl...ac_domains.txt

[AplusWebMaster]

FYI...

Phishing Alert - Canada Revenue Agency
- http://securitylabs.websense.com/con...erts/3282.aspx
01.20.2009 - "Websense... has discovered phishing sites spoofing the Web site belonging to Canada Revenue Agency (CRA), the Canadian government’s taxation authority. The fake site is hosted in Germany and uses the same stylesheet and graphics as the real CRA Web site. The phishing site aims to collect personal information such as the victim’s social insurance number, full name, address, date of birth, mother’s maiden name, and credit card information. Upon submitting the data, the user is redirected to the real CRA site. This campaign is timed to coincide with the upcoming CRA deadline for online tax return applications..."

[AplusWebMaster]

FYI...

United Airlines - e-mail scam malware attack
- http://www.sophos.com/blogs/gc/g/200...alware-attack/
January 19, 2009 - "Last week... spammers were sending out emails posing as messages from Northwest Airlines*. The attached file was not an electronic airline ticket of course, but a Trojan horse designed to infect your computer. As anticipated, the hackers have made a simple switch - changing the bait from a Northwest Airlines email to one claiming to come from United Airlines, and spoofing the email address tickets@united .com ... As before, opening the ZIP file is a very bad idea. Although it’s understandable that you might panic into thinking that your credit card has been debited without your permission, for a flight you don’t want or need, you should be cynical enough to smell this for what it is - a dirty rotten scam designed to infect your personal computer."
* http://www.sophos.com/blogs/gc/g/200...alware-attack/

(Screenshots available at both URLs above.)

Video: http://www.sophos.com/blogs/gc/g/200...lware-campaign

[AplusWebMaster]

FYI...

Valentine SPAM already!...
- http://blog.trendmicro.com/waledac-loves-to-spam-you/
Jan. 26, 2009 - "Holidays and popular annual events as a social engineering tool in spamming is a signature Storm technique. The following spammed email message should then cement WALEDAC’s association with the said bot giant...
Spammed Valentine’s greetings.
These messages flood inboxes weeks before Valentine’s day, also typical of previous Storm spam runs. Clicking on the link redirects a user to a site with a heart images. When this page is clicked, the user is prompted to download a file, malicious of course, detected by Trend Micro as WORM_WALEDAC.AR... Beside the social engineering techniques used in email, following are the similar methods applied by this worm family:
• Fast-flux networks and several different name servers used per domain
• Files names ecard.exe and postcard.exe
• In some instances, the installation of rogue antispyware ..."

(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

IEC website compromised
- http://securitylabs.websense.com/con...erts/3289.aspx
01.27.2009 - "Websense... has discovered that a subdomain of the International Electrotechnical Commission (IEC) Web site has been compromised. The IEC is an international standards organization that prepares and publishes International Standards for all electrical, electronic, and related technologies... The infected subdomain belongs to the TC26 group. Unprotected users would be subjected to execution of obfuscated Javascript that -redirects- to an exploit site, hosting exploits for Internet Explorer, QuickTime and AOL SuperBuddy. Successful execution of the exploit code incurs a drive-by download. This installs a backdoor on the compromised machine. Major antivirus vendors are -not- detecting this payload..."

(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

Fed Reserve Bank phish-about-phish
- http://www.hoax-slayer.com/federal-r...m-emails.shtml
28 January 2009 - "Email purporting to be from the Federal Reserve Bank claims that U.S. Treasury Department has imposed restrictions on federal wire transfers due to a widespread phishing attack... Email is -not- from the Reserve Bank - Links lead to bogus websites... The FDIC published an alert* about the scam..."
* http://www.fdic.gov/news/news/Specia...9/sa09020.html
FDIC: SA-20-2009 January 15, 2009

[AplusWebMaster]

FYI...

- http://www.pcmag.com/article2/0,2817,2339712,00.asp
01.27.09 Larry Seltzer - "...AVG has released research that indicates the number and volatility of web sites serving malicious code is increasing dramatically... Almost 60% of these sites are up for less than one day. The goal of these techniques seems to be to defeat blacklist-based protections. AVG calls them transient threats. What are these web pages? Few are actually put up to serve malware. Some of them are blog comments, some are advertisements, many are legitimate web sites corrupted through HTML/script injection, and many have been corrupted through compromises of SQL servers through SQL injection. These compromised web sites are tricked into redirecting users to the few sites that directly serve the malware. The combination of the Apache web server and PHP scripting engine are a favorite target of attackers. There are large numbers of vulnerabilities for attackers to exploit and no automated patch system to make sure servers are protected... The actual malware being served varies from fake codecs, game password-stealing attacks to fake anti-spyware. The fake codec sites are the most volatile, with 62% active for less than a day. The fake anti-spyware sites are more stable, but 28% are active less than a day and the average is less than 2 weeks..."

[AplusWebMaster]

FYI...

Work-At-Home Scams...
- http://www.ic3.gov/media/2009/090203.aspx
February 3, 2009 - "Consumers need to be vigilant when seeking employment on-line. The IC3 continues to receive numerous complaints from individuals who have fallen victim to work-at-home scams. Victims are often hired to "process payments", "transfer funds" or "reship products." These job scams involve the victims receiving and cashing fraudulent checks, transferring illegally obtained funds for the criminals, or receiving stolen merchandise and shipping it to the criminals. Other victims sign up to be a "mystery shopper", receiving fraudulent checks with instructions to cash the checks and wire the funds to "test" a company's services.

Victims are told they will be compensated with a portion of the merchandise or funds. Work-at-home schemes attract otherwise innocent individuals, causing them to become part of criminal schemes without realizing they are engaging in illegal behavior. Job scams often provide criminals the opportunity to commit identity theft when victims provide their personal information, sometimes even bank account information to their potential "employer." The criminal/employer can then use the victim's information to open credit cards, post on-line auctions, register Web sites, etc., in the victim's name to commit additional crimes..."

[AplusWebMaster]

FYI...

- http://blog.wired.com/27bstroke6/2009/02/atm.html
February 03, 2009 - "A carefully coordinated global ATM heist last November resulted in a one-day haul of $9 million in cash, after a hacker penetrated a server at payment processor RBS WorldPay... RBS WorldPay announced on December 23 that they'd been hacked, and personal information on approximately 1.5 million payroll-card and gift-card customers had been stolen. (Payroll cards are debit cards issued and recharged by employers as an alternative to paychecks and direct-deposit.) Now we know that account numbers and other mag-stripe data needed to clone the debit cards were also compromised in the breach. At the time, the company said it identified fraudulent activity on only 100 cards, making it sound like small beans. But it turns out the hacker managed to lift the withdrawal limits on those 100 cards, before dispatching a global army of cashers to drain them with repeated rapid-fire withdrawals. More than 130 ATMs in 49 cities from Moscow to Atlanta were hit simultaneously just after midnight Eastern Time on November 8. A class action lawsuit has been filed against RBS WorldPay on behalf of consumers..."
(Video available at the Wired URL above.)

- http://voices.washingtonpost.com/sec...lti-milli.html
February 5, 2009 - "...some $50 million was lost to ATM fraud in New York City alone over the course of one month last year..."