SPAM frauds, fakes, and other MALWARE deliveries - archive

Twitter worm out there...

FYI...

Twitter worm - out there...
- http://isc.sans.edu/diary.html?storyid=10297
Last Updated: 2011-01-20 16:41:39 UTC - "... new twitter worm out there. There are an increased number of messages... Those short URL points to the servers providing the malware. The following are some of the malicious URL I could gather (CAREFUL: THEY ARE STILL ACTIVE):
• http ://cainnoventa .it/m28sx.html
• http ://servizialcittadino .it/m28sx.html
• http ://aimos.fr/m28sx .html
• http ://lowcostcoiffure .fr/m28sx.html
• http ://s15248477.onlinehome-server .info/m28sx.html
• http ://www.waseetstore .com/m28sx.html
• http ://www.gemini .ee/m28sx.html
After clicking to the URL, you are sent to a faveAV web page..."
(Screenshots available at the ISC URL above.)
___

- http://www.pcworld.com/article/217308/twitter_targeted_with_fake_antivirus_software_scam.html
Jan 21, 2011 "... Del Harvey, head of Twitter's Trust and Safety Team, wrote on her Twitter account that 'we're working to remove the malware links and reset passwords on compromised accounts.' 'Did you follow a goo.gl link that led to a page telling you to install 'Security Shield' Rogue AV?' she wrote. 'That's malware. Don't install'..."

- http://nakedsecurity.sophos.com/2011/01/20/fake-anti-virus-attack-twitter-via-goo-gl-links/
January 20, 2011 - "... If you make the mistake of clicking on one of the malicious goo.gl links you are ultimately taken to a website which attempts to scare you into believing that you have a virus problem on your computer. You are then frightened into installing malicious code on your PC, and asked to pay money to disinfect your systems... Ukranian URL hosting the malware... The natural suspicion would be that their usernames and passwords have been stolen. It certainly would be a sensible precaution for users who have found their Twitter accounts unexpectedly posting goo.gl links to change their passwords immediately..."

:mad:
 
Last edited:
Fraud advisory... Web crawling with new Zbot/Zeus variants...

FYI...

Fraud advisory - FBI/iC3: e-mails...
- http://www.ic3.gov/media/2011/110119.aspx
January 19, 2011 - "... cyber criminals engaging in ACH/wire transfer fraud have targeted businesses by responding via e-mail to employment opportunities posted online. Recently, more than $150,000 was stolen from a US business via unauthorized wire transfer as a result of an e-mail the business received that contained malware. The malware was embedded in an e-mail response to a job posting the business placed on an employment website and allowed the attacker to obtain the online banking credentials of the person who was authorized to conduct financial transactions within the company. The malicious actor changed the account settings to allow the sending of wire transfers, one to the Ukraine and two to domestic accounts. The malware was identified as a Bredolab variant, svrwsc.exe. This malware was connected to the ZeuS/Zbot Trojan, which is commonly used by cyber criminals to defraud US businesses. The FBI recommends that potential employers remain vigilant in opening the e-mails of perspective employees. Running a virus scan prior to opening any e-mail attachments may provide an added layer of security against this type of attack. The FBI also recommends that businesses use separate computer systems to conduct financial transactions..."
___

Zbot-Zeus variants attack online money transactions...
- http://www.theregister.co.uk/2011/01/21/zeus_payment_provider_diversification/
21 January 2011 - "... Trusteer has detected 26 different ZeuS configurations targeting online payment provider Money Bookers. Configuration files are a set of instructions on what sites to target for the theft of login credentials, manipulation of HTML pages as presented to users of infected machines and other details. Another 13 variants of ZeuS, the last released only on 16 January, attempt to steal login credentials of Web Money users. Nochex, another online payment provider that specialises in providing payment processing services to small businesses, is the target of 12 different ZeuS configurations. Prepaid card provider netSpend and e-gold, a service abused as a payment clearing house by cybercrooks in the past, are also under attack by ZeuS wielding miscreants... More details... here*."
* http://www.trusteer.com/blog/zeus-latest-evolution-malware-trends-targets-online-payment-providers
January 20, 2011

:sad::mad:
 
Last edited:
SpyEye/ZeuS toolkit code shows up ...

FYI...

SpyEye/ZeuS toolkit code shows up ...
- http://www.theregister.co.uk/2011/01/25/spyeye_zeus_merger/
25 January 2011 - "... first sample of code from the merger of the ZeuS and SpyEye cybercrime Trojan toolkits*... ZeuS has long been the root cause of many instances of banking fraud, while SpyEye is a much newer and even more aggressive addition... The malware-building tool includes options to build-in web injects, screenshot captures as well as hooks for various optional add-ins. Core functionality also includes code designed to evade Trusteer Rapport transactions security software, a security application offered to customers of many banks as a defence against banking Trojans. The latter feature shows that, once again, cybercrooks are attempting to up their game in response to developments by security defenders. Plug-ins include the ability to present users of compromised machines with fake pages and improved attacks against Firefox users... The cybercrime toolkit also includes improved credit-card grabbing functionality... Misdirection and misinformation... among the main tools of the cybercrime trade."
* http://blog.trendmicro.com/spyeyezeus-toolkit-v1-3-05-beta/
Toolkit detail ...

:mad::mad:
 
One-Kit-Phishes-All ...

FYI...

One-Kit-Phishes-All
- http://community.websense.com/blogs/securitylabs/archive/2011/01/25/rebirth-of-a-phish-kit.aspx
25 Jan 2011 - "... The attack first imitates the Australian Tax Office (ATO) e-tax refund page, an online system where taxpayers can lodge their annual tax refund requests. The kit readies 7 of the biggest banks of Australia, covering almost all accounts. This kit was hosted on compromised Web sites with deep directories specifically mimicking the ATO Web site. Each bank phishing Web site was then placed... Similar to earlier phishing toolkits, this attack utilizes PHP scripts to retrieve, parse, and send on the compromised account information. The kit was also held on several other compromised Web sites to enable the failover of the attack - given the limited lifecycle of phishing sites, more users fall victim to them in the first 24 hours of the attack. The readiness of this phishing toolkit -exceeds- Rock Phish..."

:mad:
___

Facebook Tunisia keystroke logger...
- http://www.theregister.co.uk/2011/01/25/tunisia_facebook_password_slurping/
25 January 2011 - "Malicious code injected into Tunisian versions of Facebook, Gmail, and Yahoo! stole login credentials of users critical of the North African nation's authoritarian government... The rogue JavaScript, which was individually customized to steal passwords for each site, worked when users tried to login without availing themselves of the secure sockets layer protection designed to prevent man-in-the-middle attacks. It was found injected into Tunisian versions of Facebook, Gmail, and Yahoo! in late December, around the same time that protestors began demanding the ouster of Zine el-Abidine Ben Ali, the president who ruled the country from 1987 until his ouster 10 days ago..."
___

Facebook photos lead to malware...
- http://sunbeltblog.blogspot.com/2011/01/phony-facebook-photos-lead-to-malware.html
January 25, 2011 - "This latest Facebook scam seems to have been rattling around for a few weeks now, directing you to malware from hacked websites hosting the rogue files. There also appear to be various Facebook application pages offering up the same dubious content. Typically, the scam involves sending messages to Facebook users from compromised accounts... Not a lot of sophistication there, but it doesn’t really take much to get people clicking. Downloading the file and running it will result in you sending your friends more "Foto" related spam and the whole process begins again. Some users report the messages appearing on their walls, while others have screenshots of messages popping up in their chat applications..."
___

Facebook scam: Free cellphone recharge
- http://sunbeltblog.blogspot.com/2011/01/facebook-scam-free-cellphone-recharge.html
January 24, 2011

:mad::mad::mad:
 
Carberp malware sniffs out A/V to maximize attack impact

FYI...

Carberp malware sniffs out A/V to maximize attack impact
- http://www.computerworld.com/s/arti...s_out_antivirus_use_to_maximize_attack_impact
January 24, 2011 - "... The authors of the new information-stealing trojan "Carberp" have added a feature that detects which antivirus program is running on victimized PCs, said Aviv Raff, the chief technology officer at Seculert, an Israeli security startup. Raff said the criminals added security software detection to make sure they're spending their money wisely... The test services Raff mentioned are similar to legitimate scanning services such as VirusTotal, which lets users upload suspicious files for scanning by scores of for-a-fee and free antivirus programs. Suspect samples that evade detection are shared with the anti-malware community for use in creating new signatures. But other, less scrupulous services have popped up to serve criminals. These services, which security blogger Brian Krebs reported on as early as December 2009*, do not alert security companies when a new piece of malware is detected. That makes them ideal for hackers to check whether code will be detected before they release it. Raff said hackers pay to run their malware through these gray-market services to check the detection status of their code before they release it... Raff expects that Carberp will follow in the footsteps of the SpyEye and Siberia attack kits, and like them, incorporate links to a scanning service. Last week, Raff published an analysis of Carberp** that described new features other than the antivirus polling, including encryption of all communication with the hacker command-and-control server..."
* http://krebsonsecurity.com/2009/12/virus-scanners-for-virus-authors/

** http://blog.seculert.com/2011/01/new-trend-in-malware-evolution.html

:mad::mad:
 
Facebook - NEW security: Secure Browsing ...

FYI...

Facebook - NEW security: Secure Browsing (https)
- http://techblog.avira.com/2011/01/27/facebook-improves-security/en/
"Facebook starts to roll out a new security feature: Secure Browsing (https). It will be available in the options of “Account Security”, below the “Account Settings” page.
This means that all data sent from and to Facebook will be transferred encrypted over the Internet if possible. Attacks to steal identities (for example in WiFi networks with Firesheep) will be rendered impossible this way...
Currently the feature seems to struggle with some problems though... some online games in Facebook don’t work properly together with activated Secure Browsing. This should be solved very soon... this is a step in the right direction and every Facebook user should activate that option as soon as it is available..."
(See screenshots available at the URL above.)

- http://news.cnet.com/8301-27080_3-20029670-245.html
January 26, 2011

- http://www.theregister.co.uk/2011/01/26/facebook_https/
26 January 2011 - "... The move comes a day after pranksters hacked into the Facebook page of CEO Mark Zuckerberg..."

- http://community.websense.com/blogs...erg-facebook-page-showing-rogue-comments.aspx
26 Jan 2011

:D:
 
Last edited:
The Tax Spam Cometh

FYI...

The Tax Spam Cometh
- http://www.pcworld.com/businesscenter/article/218047/the_tax_spam_cometh.html
Jan 28, 2011 - "It is that time of the year again: time to wait anxiously for W2s and 1099s to arrive, then feverishly compile figures and look for deductions to try and get back as much of your money from the IRS - or Her Majesty's Revenue and Customs (HMRC) - as possible. Do you know what that means? That means it is also time for attackers to capitalize on tax season with malware and phishing scams... Phishing e-mails are circulating, claiming that a miscalculation has been detected and that the recipient is owed a larger refund. Fred Touchette of Appriver* explains the new tax season threat. "The scammers see this as an opportunity to possibly catch some people slipping even though this most recent scam is targeting people who are already expecting a refund. To obtain the increased refund, recipients are directed to open the e-mail file attachment titled "Tax.Refund.New.Message.Alert .HTML." The resulting Web page appears to be the actual HMRC site, but is actually generated locally. The form requests sensitive information such as credit card details and mother's maiden name in order to process the refund..."
* http://blogs.appriver.com/blog/digital-degenerate/tax-deadlines-create-spikes-in-scam-trend-lines

:mad::fear:
 
Waledac [has stolen] almost 500,000 email passwords

FYI...

Waledac... [has stolen] almost 500,000 email passwords ...
- http://www.theregister.co.uk/2011/02/02/waledac_account_compromise/
2 February 2011 - "Researchers* have taken a peek inside the recently refurbished Waledac botnet, and what they've found isn't pretty. Waledac, a successor to the once-formidable Storm botnet, has passwords for almost 500,000 Pop3 email accounts, allowing spam to be sent through SMTP servers, according to findings published on Tuesday by security firm Last Line*. By hijacking legitimate email servers, the Waledac gang is able to evade IP-based blacklisting techniques that many spam filters use to weed out junk messages. What's more, Waledac controllers are in possession of almost 124,000 FTP credentials. The passwords let them run programs that automatically infect the websites with scripts that -redirect- users to sites that install malware and promote fake pharmaceuticals. Last month, the researchers identified almost 9,500 webpages from 222 sites that carried poisoned links injected by Waledac. The discovery comes a month after a new malware-seeded spam run was spotted. This had all the hallmarks of the storm botnet... “The Waledac botnet remains just a shadow of its former self for now, but that's likely to change given the number of compromised accounts that the Waledac crew possesses,” the Last Line researchers wrote. In addition to a generous helping of compromised credentials, Waledac also comes with a new command and control system that disseminates a list of router nodes to infected machines."
* http://blog.tllod.com/2011/02/01/calm-before-the-storm/
February 1, 2011
- http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20101230

- http://www.informationweek.com/shared/printableArticle.jhtml?articleID=229200280
Feb. 2, 2011

Time for password changes...
- https://www.microsoft.com/protect/fraud/passwords/checker.aspx

:fear::mad::fear:
 
Last edited:
Exploit rate - 61 percent of new vulnerabilities

FYI...

Exploit rate - 61 percent of new vulnerabilities...
- http://www.darkreading.com/taxonomy/index/printarticle/id/229201156
Feb 03, 2011 - "The number of exploited vulnerabilities jumped dramatically last month, with more than 60 percent of new vulnerabilities being exploited... Exploit activity is typically at a rate of 30 to 40 percent, according to Fortinet's newly released January 2001 Threat Landscape report*. Close to half of "critical" vulnerabilities were exploited by attackers..."
* http://blog.fortinet.com/january-2011-many-new-vulnerabilities-exploited-spam-takes-another-hit/

:fear::fear:
 
Nasdaq hacked ...

FYI...

Nasdaq hacked ...
- http://online.wsj.com/article/SB100...2758.html?mod=WSJ_hp_LEFTTopStories#printMode
Feb. 5, 2011 - "Nasdaq acknowledged Saturday it has been the victim of hackers and said it has notified customers about the problem. The statement by Nasdaq OMX Inc. came on the heels of a report in Saturday's Wall Street Journal that said unidentified hackers had repeatedly breached the company's computer network in the past year. In a written statement, the company said during its normal security screening, it discovered "malware" files installed on a part of its network called Directors Desk, a service designed to allow company boards to communicate by securely storing and sharing documents..."

- http://online.wsj.com/article/SB10001424052748704709304576124502351634690.html#printMode
Feb. 5, 2011

:fear::mad::fear:
 
Last edited:
PDF exploit disguised ...

FYI...

PDF exploit disguised...
- http://labs.m86security.com/2011/02/pdf-exploit-disguised-as-a-xerox-scanned-document/
February 7, 2011 - "Most office network printers and scanners have a feature that sends scanned documents over email. Cyber crooks however, have imitated email templates used by these devices for malicious purposes. This week we noticed a malicious spam email that purports to be a scanned document sent using a Xerox WorkCentre Pro scanner... Variations of subject lines were used like
“Scan from XER0X”,
“Scan from XER0X ZIP Office”,
“Scan from XER0X Center Office” or
“Scan from XER0X Center Office”
... the attachment is actually not a Xerox WorkCentre Pro scanned document but instead a PDF exploit file that utilizes old Adobe Acrobat Reader vulnerabilities ..."
(Screenshots available at the URL above.)

More malicious email - Virus Outbreak In Progress
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
February 08, 2011

:fear::mad:
 
Malware endemic ...

FYI...

Malware endemic...
- http://www.theregister.co.uk/2011/02/11/malware_endemic_survey/
11 February 2011 - "... European Union statistics agency EUROSTAT found that one third of PC users (31 per cent) had the pox even though the vast majority (84 per cent) were running security software (anti-virus, anti-spam, firewall) on their PCs. Of the survey's respondents, 3 per cent reported financial loss as a result of farming or phishing attacks, while a further 4 per cent reported privacy violations involving data sent online. Bulgaria (58 per cent) and Malta (50 per cent) top the list of most infected users. By comparison, Finland (20 per cent), Ireland (15 per cent) and Austria (14 per cent) did relatively well. Trojans (59.2 per cent) were the most common types of infected found on compromised PCs, followed by viruses (11.7 per cent). A separate study by antivirus firm Panda*, also published this week, tells a similar story. Half (50 per cent) of the computers scanned by Panda in January harboured malware...
* http://press.pandasecurity.com/news...e-infected-with-some-type-of-computer-threat/

- http://www.theinquirer.net/inquirer/news/2025421/anti-virus-software-losing-battle-war
Feb 10 2011

:fear::mad::fear:
 
Last edited:
Malware SPAM campaigns

FYI...

Malware SPAM campaigns
- http://labs.m86security.com/2011/02/spammed-malware-ramps-up-again/
February 14, 2011 - "... over the last week, we have seen the return of two familiar-looking malware spam campaigns.
* Post Express: Package Available
* United Parcel Service: Notification
While these two campaigns have similar themes, the spam originates from different spambots and has quite different payloads. The Post Express variety originates from the Asprox spambot... The UPS themed spam originates from one of the Cutwail spambot variants... VirusTotal results for the sample* are not overly helpful, show widely varying names, including banking trojan, zbot, Bredolab and Oficla. Interestingly, when we pulled out some of strings from the malware sample, we saw that it did indeed have an interest in banking... another string we found in the malware body was “Program Files\Trusteer\Rapport\bin\RapportService.exe”. Trusteer Rapport is anti-fraud software which the SpyEye banking trojan toolkit specifically has an evasion option for. Not being content with just banking data, the bot also proceeded to download a number of different files, including Waledac and Cutwail spambots, plus it also threw in this fake anti-virus software for good measure... two lessons from this brief analysis. First, similar looking campaigns are not necessarily the same. Second, installer bots such as these can lead to a swathe of different malware on the infected host."
(Screenshots available at the m86 URL above.)
* http://www.virustotal.com/file-scan...82058a6dd79f0af7ae87228ee8d320fea3-1297477589
File name: USPS_Document.exe
Submission date: 2011-02-12 02:26:29 (UTC)
Result: 32/43 (74.4%)
- http://tools.cisco.com/security/cen...currentPage=1&sortOrder=d&pageNo=1&sortType=d
February 14, 2011
___

- http://labs.m86security.com/2011/02/ups-spam-oh-wait-its-an-fdic-spam-campaign/
February 15, 2011 - "... the Cutwail botnet changed its spamming theme this week. The malicious spam pretends to be from the FDIC... the spammer did not manage to configure the spam template correctly and left the from field still using the domain ups.com..."
(Screenshots available at the URL above.)
- http://www.virustotal.com/file-scan...6c1a3247409c702de7a2729a3d2dc81458-1297829427
File name: 7529534f159bb49113908071a3061aa4
Submission date: 2011-02-16 04:10:27 (UTC)
Result: 26/43 (60.5%)

:mad:
 
Last edited:
BBC - injected w/malicious iFrame

FYI...

BBC - injected w/malicious iFrame
- http://community.websense.com/blogs...bc6-website-injected-with-malicious-code.aspx
15 Feb 2011 - "The BBC - 6 Music Web site has been injected with a malicious iframe, as have areas of the BBC 1Xtra radio station Web site. At the time of writing this blog, the sites are still linking to an injected iframe... The injected iframe occurs at the foot of the BBC 6 Music Web page, and loads code from a Web site in the .co.cc TLD. The iFrame injected into the Radio 1Xtra Web page leads to the same malicious site. If an unprotected user browsed to the site they would be faced with drive-by downloads, meaning that simply browsing to the page is enough to get infected with a malicious executable. The payload is delivered to the end user only once, with the initial visit being logged by the malware authors. The code that is delivered to end users utilizes exploits delivered by the Phoenix exploit kit:
- http://community.websense.com/blogs/securitylabs/pages/phoenix-exploit-s-kit.aspx
A malicious binary is ultimately delivered to the end user. The VirusTotal detection* of this file is currently around 20%..."
* http://www.virustotal.com/file-scan...a373d2face149523dfd183d669b31da6bc-1297784293
File name: 4a0ab371e6c6dd54deeab41ab1b77fa373d2face149523dfd183d669b[...].bin
Submission date: 2011-02-15 15:38:13 (UTC)
Result: 9/43 (20.9%)
There is a more up-to-date report...
- http://www.virustotal.com/file-scan...a373d2face149523dfd183d669b31da6bc-1298083200
File name: 3810631eeaea4950d0e1bd48ec89be12
Submission date: 2011-02-19 02:40:00 (UTC)
Result: 28/43 (65.1%)

:mad:
 
Last edited:
Smitnyl - MBR infector...

FYI...

Smitnyl - MBR infector...
- http://www.f-secure.com/weblog/archives/00002101.html
Feb. 17, 2011 - "... an MBR file system infector such as Trojan:W32/Smitnyl.A (98b349c7880eda46c63ae1061d2475181b2c9d7b), which appears to be distributed via some free file-sharing networks, seems worth a quick analysis, even if it only targets one portable executable system file and the infection is straightforward compared to common virus file infectors. Smitnyl.A first infects the MBR via raw disk access. Then it replaces it with a malicious MBR containing the file infector routine... MBR File System Infector... can bypass Windows File Protection (WFP). As WFP is running in protected mode, any WFP-protected file will be restored immediately if the file is replaced...
Userinit... is one of the processes launched automatically when the system starts, allowing the malware to execute automatically when the system starts.
Smitnyl infects Userinit from the first stage of the boot sequence. When the MBR is loaded to 0x7C00, it determines the active partition from the partition table and also the starting offset of boot sector. It then checks the machine’s file system type... Smitnyl will check for the Windows path from $ROOT down to the System32 directory, where userinit.exe is located... After decoding, it launches %temp%\explorer.exe using ShellExecute — this serves as a decoy to hide the infection. At the same time, it will execute the real explorer.exe using Winexec... there is nothing special about the final payload — it is merely a downloader. The infected userinit.exe disables 360safe's IE browser protection so that the downloader can retrieve files from the remote server http://[...].perfectexe.com/."
(More detail at the F-secure URL above.)

- http://www.urlvoid.com/scan/perfectexe.com
Detections: 8/19 (42%)
Status: DANGEROUS

:fear::fear::mad:
 
Last edited:
Social engineering to infect with malware ...

FYI...

Social engineering to infect with malware ...
- http://www.securitypark.co.uk/security_article265838.html
18/02/2011 - "In the past weeks, new malicious codes that use Facebook to ensnare victims have been wreaking havoc. The recent trend for developing computer threats designed to spread by exploiting the most popular social media continues to gather pace. One of these, Asprox.N, is a Trojan that reaches potential victims via email. It deceives users by telling them that their Facebook account is being used to distribute spam and that, for their security, the login credentials have been changed. It includes a fake Word document supposedly containing the new password. The email attachment has an unusual Word icon, and is called Facebook_details.exe. This file is really the Trojan which, when run, downloads a .doc file that runs Word to make users think the original file has opened. The Trojan, when run, downloads another file designed to open all available ports, connecting to various mail service providers in an attempt to spam as many users as possible. The other, Lolbot.Q, is distributed across IM applications such as MSN and Yahoo!, displaying a message with a malicious link. This link downloads a worm designed to hijack Facebook accounts and prevent users from accessing them. If users then try to login to Facebook, a message appears informing that the account has been suspended and that to reactivate them they must complete a questionnaire, with the offer of prizes –including laptops, iPads, etc.– to encourage users to take part... PandaLabs advises all users to be wary of any messages with unusually eye-catching subjects, whether via email or IM or any other channel; and to be careful when clicking on external links in Web pages..."
- http://pandalabs.pandasecurity.com/

:mad: :mad:
 
Oddjob trojan keeps sessions open...

FYI...

Oddjob Trojan keeps banking sessions open after victims log out
- http://www.theregister.co.uk/2011/02/22/oddjob_banking_trojan/
February 22, 2011 - "... OddJob Trojan hijacks customers’ online banking sessions in real time using their session ID tokens. By keeping accounts open even after victims think they have quit, the malware creates a window for fraudsters to loot compromised accounts and commit fraud... Trusteer, the transaction security firm that discovered the malware, said it made the discovery a few months ago but is only able to report on it now following the conclusion of a police investigation. OddJob is being used by cyber-crooks based in Eastern Europe to attack their customers in several countries including the USA, Poland and Denmark... More information on the Oddjob Trojan can be found in a blog post by Trusteer here*."
* http://www.trusteer.com/blog/new-fi...ne-banking-sessions-open-after-users-“logout”

:mad::fear:
 
Facebook clickjacking malware - in Italian...

FYI...

Facebook clickjacking malware - in Italian...
- http://nakedsecurity.sophos.com/2011/02/22/facebook-clickjacking-malware-italian-disguises/
February 22, 2011 - "Non-English speaking Facebook users shouldn't be fooled into believing that they are somehow immune from the scams and attacks that plague the social networking site. The latest few campaigns seen by SophosLabs, for instance, target Italian users of the social network... Colorful clickjacking attacks, requiring users to click on a series of rainbow-colored boxes without realizing they're authorizing other actions, are nothing new of course. As more and more criminals discover how successful attacks via Facebook can be, we can expect the tried-and-trusted techniques of the English-speaking world to be cloned elsewhere around the globe..."

:fear::mad:
 
Ransomware a successor of scareware? ...

FYI...

Ransomware a successor of scareware?
- http://community.websense.com/blogs/securitylabs/archive/2011/02/24/the-ransomway.aspx
24 Feb 2011 - "... We dare to say it is not. Both malware groups try to convince the victim that there is no way to avoid paying money, although the approach is very different. With scareware the victims at least have a chance to resist the social engineering offering the only solution and work on the cleaning process on their own. With ransomware this chance hardly exists at all. Yes, there are many similarities and it is likely the same people stand behind both types of malware groups. However, in one case there is a "seller" offering the "products and services"; in the other one an extorter asking for ransom. Even though both are illegal and dishonest, the approach is different.
Restoration and Protection: Restoration of data or access depend on the kind of malware. In some cases it is possible to download a utility and clean the infected system, in other cases to replace malicious parts with clean ones. Unfortunately, there is no means to bypass malware such as Gpcode. Therefore the only protection is to keep up-to-date backups stored -off- the machine all the time..."
- http://www.youtube.com/watch?v=JZT0JZybfVc

:fear::fear:
 
You must log in or register to reply here.
Back
Top