Malvertising campaign leads to Browser-Locking Ransomware, More WhatsApp SPAM
FYI...
Malvertising campaign leads to Browser-Locking Ransomware
- http://www.symantec.com/connect/blogs/massive-malvertising-campaign-leads-browser-locking-ransomware
17 Dec 2013 - "The Browlock ransomware (Trojan.Ransomlock.AG) is probably the simplest version of ransomware that is currently active. It does not download child abuse material, such as Ransomlock.AE, or encrypt files on your computer, like Trojan.Cryptolocker. It does not even run as a program on the compromised computer. This ransomware is instead a plain old Web page, with JavaScript tricks that prevent users from closing a browser tab. It determines the user’s local country and makes the usual threats, claiming that the user has broken the law by accessing pornography websites and demands that they pay a fine to the local police.
> http://www.symantec.com/connect/sites/default/files/users/user-2551621/Browlock 1 edit.png
What is substantial is the number of users getting redirected to the Browlock website. In November, Symantec blocked more than 650,000 connections to the Browlock website. The same trend continues in December. More than 220,000 connections were blocked just 11 days into December. Overall, about 1.8 million connections have been blocked since tracking began in September. These numbers may not seem particularly large for those familiar with exploit kits and traffic redirection systems, but they solely represent users of Symantec products. The 650,000 connections detected in November is merely a piece of the pie, but the real number is likely to be much larger.
Browlock ransomware’s activity in November and December this year
> http://www.symantec.com/connect/sites/default/files/users/user-2551621/Browlock 2.png
... The Browlock attackers appear to be purchasing traffic that redirects many different visitors to their malicious website. They are using malvertising, an increasingly common approach which involves purchasing advertising from legitimate networks. The advertisement is directed to what appears to be an adult Web page, which then redirects to the Browlock website... In a recent example, the attackers created several different accounts with an advertising network, deposited payment, and began buying traffic to redirect users to a website with a name that resembles an online chat forum. When the user visits the page, they are then redirected to the Browlock site. In fact, the attacker hosts the legitimate-looking domain name on the same infrastructure as the ransomware site itself... Symantec has identified 29 different law enforcement values, representing approximately 25 regions. The following graph shows the percentage of connections for the top ten law enforcement agencies identified. We found that traffic from the US was the most common. This is followed by Germany, then Europol, which covers European countries when no specific image template has been created.
Top ten regions targeted by Browlock
> http://www.symantec.com/connect/sites/default/files/users/user-2551621/Browlock 3.png
... We have seen 196 domains since tracking began. The domains adhere to the format of a single letter followed by four digits and then .com. The actual domains have been hosted on a number of different IP addresses over the past four months. The most active Autonomous System (AS) has been AS48031 - PE Ivanov Vitaliy Sergeevich, which was used in each of the past four months. The attackers rotated through seven different IP addresses in this AS. The Browlock ransomware tactic is simple but effective. Attackers save money by -not- using a malicious executable or accessing an exploit kit. As the victim simply needs to close their browser to escape from the Web page, one might think that no one will pay up. However, the Browlock attackers are clearly spending money to purchase traffic and so they must be making a return on that investment. The usual ransomware tactic of targeting users of pornographic websites continues to capitalize on a victim’s embarrassment and may account for the success rate...
Malicious infrastructures used:
AS24940 HETZNER-AS Hetzner Online AG*
IP address: 144.76.136.174 Number of redirected users: 2,387
AS48031 – PE Ivanov Vitaliy Sergeevich
IP address: 176.103.48.11 Number of redirected users: 37,521
IP address: 193.169.86.15 Number of redirected users: 346
IP address: 193.169.86.247 Number of redirected users: 662,712
IP address: 193.169.86.250 Number of redirected users: 475,914
IP address: 193.169.87.14 Number of redirected users: 164,587
IP address: 193.169.87.15 Number of redirected users: 3,945
IP address: 193.169.87.247 Number of redirected users: 132,398
AS3255 –UARNET
IP address: 194.44.49.150 Number of redirected users: 28,533
IP address: 194.44.49.152 Number of redirected users: 134,206
AS59577 SIGMA-AS Sigma ltd
IP address: 195.20.141.61 Number of redirected users: 22,960
Nigeria Ifaki Federal University Oye-ekiti
IP address: 196.47.100.2 Number of redirected users: 47,527
AS44050 - Petersburg Internet Network LLC
IP address: 91.220.131.106 Number of redirected users: 81,343
IP address: 91.220.131.108 Number of redirected users: 75,381
IP address: 91.220.131.56 Number of redirected users: 293
AS31266 INSTOLL-AS Instoll ltd.
IP address: 91.239.238.21 Number of redirected users: 8,063 "
Diagnostic page for AS24940 (HETZNER-AS)
* http://google.com/safebrowsing/diagnostic?site=AS:24940
"... over the past 90 days, 4337 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-12-18, and the last time suspicious content was found was on 2013-12-18... Over the past 90 days, we found 683 site(s)... appeared to function as intermediaries for the infection of 1634 other site(s)... We found 514 site(s)... that infected 5040 other site(s)..."
Diagnostic page for AS48031 (XSERVER-IP-NETWORK-AS)
- http://google.com/safebrowsing/diagnostic?site=AS:48031
"... over the past 90 days, 178 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-12-18, and the last time suspicious content was found was on 2013-12-18... Over the past 90 days, we found 25 site(s) on this network... appeared to function as intermediaries for the infection of 120 other site(s)... We found 16 site(s)... that infected 779 other site(s)..."
___
Fake ‘WhatsApp Missed Voicemail’ emails lead to pharmaceutical scams
- http://www.webroot.com/blog/2013/12...mail-themed-emails-lead-pharmaceutical-scams/
Dec 18, 2013 - "... A currently circulating fraudulent spam campaign is brand-jacking WhatsApp in an attempt to trick its users into clicking on links found in the email. Once socially engineered users fall victim to the scam, they’re automatically exposed to a fraudulent pharmaceutical site, offering them pseudo bargain deals...
Sample screenshot of the spamvertised email:
> https://www.webroot.com/blog/wp-con..._Email_Spam_Pharma_Pharmaceutical_Scam_01.png
Sample screenshot of the landing pharmaceutical scam page:
> https://www.webroot.com/blog/wp-con..._Spam_Pharma_Pharmaceutical_Scam-1024x587.png
Redirection chain: hxxp :// 203.78.110.20 /horizontally.html -> hxxp ://viagraphysician .com (109.201.133.58). We’re also aware of... fraudulent domains that are known to have phoned back to the same IP (109.201.133.58)... Name servers:
ns1 .viagraphysician .com – 178.88.64.149
ns2 .viagraphysician .com – 200.185.230.32
... fraudulent name servers are also known to have participated in the campaign’s infrastructure at 178.88.64.149 ... We expect that more legitimate brands will continue getting targeted in such a way, with the fraudsters behind the campaign continuing to earn revenue through pharmaceutical affiliate programs..."
(More detail at the webroot URL above.)
- https://www.virustotal.com/en/ip-address/109.201.133.58/information/
- https://www.virustotal.com/en/ip-address/178.88.64.149/information/
- https://www.virustotal.com/en/ip-address/200.185.230.32/information/
- https://www.virustotal.com/en/ip-address/203.78.110.20/information/
___
Gmail’s Image Display defaults may change your Privacy
- http://blog.trendmicro.com/trendlab...age-display-defaults-may-change-your-privacy/
Dec 18, 2013 - "... this means that all pictures in emails will now be automatically displayed. Instead of being served directly from the site hosting the image, however, they will be given a copy that has been scanned by Google. Officially, the stated rationale for this change is that previously, senders “might try to use images to compromise the security of your computer”, and that with the change images will be “checked for known viruses or malware”. This change affects users who access Gmail via their browser, or the official iOS and Android apps. In the past, there have been occasions where malicious images were used to compromise computers. A number of image formats were exploited in 2005 and 2006, including a Windows Metafile vulnerability (MS06-001), and an Office vulnerability that allowed arbitrary code execution (MS06-039). More recently, a vulnerability in how TIFF files were handled (MS13-096) was found and not patched until the December Patch Tuesday cycle. Properly implemented, scanning the images would be able to prevent these attacks from affecting users... actual exploitation of these vulnerabilities has been relatively uncommon. Exploit kits have opted to target vulnerabilities in Flash, Internet Explorer, Java, and Reader instead. Image vulnerabilities are not even listed in the control panels of these kits. The primary reason to block images is not to block malware, but to stop information leakage. Images are used by spammers and attackers to track if/when email has been read and to identify the browser environment of the user. Email marketers also use this technique to check how effective their email campaigns are. Email marketers have already confirmed that in spite of Google’s moves, email tracking is still very possible. Google’s proposed solution (a web proxy that checks images for malware images) appears to solve a small security problem (malicious image files), while leaving at risk user’s security and privacy. Attackers still have the capability to track that users have read email–and to learn aspects of their browser environment. Users can still revert to the previous behavior via their Gmail settings, as outlined in Google’s blog post:
Of course, those who prefer to authorize image display on a per message basis can choose the option “Ask before displaying external images” under the General tab in Settings. That option will also be the default for users who previously selected “Ask before displaying external content”.
We -strongly- recommend that users -change- this setting for their accounts. Users who access Gmail via POP3 or IMAP should check the settings of their mail application to control the display of images."
___
Fake VISA Report SPAM / payment-history-n434543-434328745231.zip
- http://blog.dynamoo.com/2013/12/visa-recent-transactions-report-spam.html
18 Dec 2013 - "This -fake- VISA spam comes with a malicious attachment:
Date: Wed, 18 Dec 2013 14:32:50 -0500 [14:32:50 EST]
From: Visa [Eddie_Jackson@ visa .com]
Subject: VISA - Recent Transactions Report
Dear Visa card holder,
A recent review of your transaction history determined that your card was used in
possible fraudulent transactions. For security reasons the requested transactions were
refused. Please carefully review electronic report for your VISA card.
For more details please see the attached transaction report.
Virgie_Cruz
Data Protection Officer
VISA EUROPE LIMITED
1 Sheldon Square
London W2 6WH
United Kingdom ...
Attached to the message is an archive file payment-history-n434543-434328745231.zip with a VirusTotal detection rate of 10/48*, which in turn contains payment-history-n434543-434328745231.exe with a detection rate of 10/49**. Automated analysis tools... indicate a network connection to bestdatingsitesreview4u .com on 38.102.226.126 (PSInet, US). This appears to be the only site on that server, blocking either the IP or domain temporarily may help mitigate against infection."
* https://www.virustotal.com/en/file/...f9be643fd0934d67cba387ac/analysis/1387397621/
** https://www.virustotal.com/en/file/...072f644b768386a23f262127/analysis/1387397396/
- https://www.virustotal.com/en/ip-address/38.102.226.126/information/
:fear: :sad:
FYI...
Malvertising campaign leads to Browser-Locking Ransomware
- http://www.symantec.com/connect/blogs/massive-malvertising-campaign-leads-browser-locking-ransomware
17 Dec 2013 - "The Browlock ransomware (Trojan.Ransomlock.AG) is probably the simplest version of ransomware that is currently active. It does not download child abuse material, such as Ransomlock.AE, or encrypt files on your computer, like Trojan.Cryptolocker. It does not even run as a program on the compromised computer. This ransomware is instead a plain old Web page, with JavaScript tricks that prevent users from closing a browser tab. It determines the user’s local country and makes the usual threats, claiming that the user has broken the law by accessing pornography websites and demands that they pay a fine to the local police.
> http://www.symantec.com/connect/sites/default/files/users/user-2551621/Browlock 1 edit.png
What is substantial is the number of users getting redirected to the Browlock website. In November, Symantec blocked more than 650,000 connections to the Browlock website. The same trend continues in December. More than 220,000 connections were blocked just 11 days into December. Overall, about 1.8 million connections have been blocked since tracking began in September. These numbers may not seem particularly large for those familiar with exploit kits and traffic redirection systems, but they solely represent users of Symantec products. The 650,000 connections detected in November is merely a piece of the pie, but the real number is likely to be much larger.
Browlock ransomware’s activity in November and December this year
> http://www.symantec.com/connect/sites/default/files/users/user-2551621/Browlock 2.png
... The Browlock attackers appear to be purchasing traffic that redirects many different visitors to their malicious website. They are using malvertising, an increasingly common approach which involves purchasing advertising from legitimate networks. The advertisement is directed to what appears to be an adult Web page, which then redirects to the Browlock website... In a recent example, the attackers created several different accounts with an advertising network, deposited payment, and began buying traffic to redirect users to a website with a name that resembles an online chat forum. When the user visits the page, they are then redirected to the Browlock site. In fact, the attacker hosts the legitimate-looking domain name on the same infrastructure as the ransomware site itself... Symantec has identified 29 different law enforcement values, representing approximately 25 regions. The following graph shows the percentage of connections for the top ten law enforcement agencies identified. We found that traffic from the US was the most common. This is followed by Germany, then Europol, which covers European countries when no specific image template has been created.
Top ten regions targeted by Browlock
> http://www.symantec.com/connect/sites/default/files/users/user-2551621/Browlock 3.png
... We have seen 196 domains since tracking began. The domains adhere to the format of a single letter followed by four digits and then .com. The actual domains have been hosted on a number of different IP addresses over the past four months. The most active Autonomous System (AS) has been AS48031 - PE Ivanov Vitaliy Sergeevich, which was used in each of the past four months. The attackers rotated through seven different IP addresses in this AS. The Browlock ransomware tactic is simple but effective. Attackers save money by -not- using a malicious executable or accessing an exploit kit. As the victim simply needs to close their browser to escape from the Web page, one might think that no one will pay up. However, the Browlock attackers are clearly spending money to purchase traffic and so they must be making a return on that investment. The usual ransomware tactic of targeting users of pornographic websites continues to capitalize on a victim’s embarrassment and may account for the success rate...
Malicious infrastructures used:
AS24940 HETZNER-AS Hetzner Online AG*
IP address: 144.76.136.174 Number of redirected users: 2,387
AS48031 – PE Ivanov Vitaliy Sergeevich
IP address: 176.103.48.11 Number of redirected users: 37,521
IP address: 193.169.86.15 Number of redirected users: 346
IP address: 193.169.86.247 Number of redirected users: 662,712
IP address: 193.169.86.250 Number of redirected users: 475,914
IP address: 193.169.87.14 Number of redirected users: 164,587
IP address: 193.169.87.15 Number of redirected users: 3,945
IP address: 193.169.87.247 Number of redirected users: 132,398
AS3255 –UARNET
IP address: 194.44.49.150 Number of redirected users: 28,533
IP address: 194.44.49.152 Number of redirected users: 134,206
AS59577 SIGMA-AS Sigma ltd
IP address: 195.20.141.61 Number of redirected users: 22,960
Nigeria Ifaki Federal University Oye-ekiti
IP address: 196.47.100.2 Number of redirected users: 47,527
AS44050 - Petersburg Internet Network LLC
IP address: 91.220.131.106 Number of redirected users: 81,343
IP address: 91.220.131.108 Number of redirected users: 75,381
IP address: 91.220.131.56 Number of redirected users: 293
AS31266 INSTOLL-AS Instoll ltd.
IP address: 91.239.238.21 Number of redirected users: 8,063 "
Diagnostic page for AS24940 (HETZNER-AS)
* http://google.com/safebrowsing/diagnostic?site=AS:24940
"... over the past 90 days, 4337 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-12-18, and the last time suspicious content was found was on 2013-12-18... Over the past 90 days, we found 683 site(s)... appeared to function as intermediaries for the infection of 1634 other site(s)... We found 514 site(s)... that infected 5040 other site(s)..."
Diagnostic page for AS48031 (XSERVER-IP-NETWORK-AS)
- http://google.com/safebrowsing/diagnostic?site=AS:48031
"... over the past 90 days, 178 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-12-18, and the last time suspicious content was found was on 2013-12-18... Over the past 90 days, we found 25 site(s) on this network... appeared to function as intermediaries for the infection of 120 other site(s)... We found 16 site(s)... that infected 779 other site(s)..."
___
Fake ‘WhatsApp Missed Voicemail’ emails lead to pharmaceutical scams
- http://www.webroot.com/blog/2013/12...mail-themed-emails-lead-pharmaceutical-scams/
Dec 18, 2013 - "... A currently circulating fraudulent spam campaign is brand-jacking WhatsApp in an attempt to trick its users into clicking on links found in the email. Once socially engineered users fall victim to the scam, they’re automatically exposed to a fraudulent pharmaceutical site, offering them pseudo bargain deals...
Sample screenshot of the spamvertised email:
> https://www.webroot.com/blog/wp-con..._Email_Spam_Pharma_Pharmaceutical_Scam_01.png
Sample screenshot of the landing pharmaceutical scam page:
> https://www.webroot.com/blog/wp-con..._Spam_Pharma_Pharmaceutical_Scam-1024x587.png
Redirection chain: hxxp :// 203.78.110.20 /horizontally.html -> hxxp ://viagraphysician .com (109.201.133.58). We’re also aware of... fraudulent domains that are known to have phoned back to the same IP (109.201.133.58)... Name servers:
ns1 .viagraphysician .com – 178.88.64.149
ns2 .viagraphysician .com – 200.185.230.32
... fraudulent name servers are also known to have participated in the campaign’s infrastructure at 178.88.64.149 ... We expect that more legitimate brands will continue getting targeted in such a way, with the fraudsters behind the campaign continuing to earn revenue through pharmaceutical affiliate programs..."
(More detail at the webroot URL above.)
- https://www.virustotal.com/en/ip-address/109.201.133.58/information/
- https://www.virustotal.com/en/ip-address/178.88.64.149/information/
- https://www.virustotal.com/en/ip-address/200.185.230.32/information/
- https://www.virustotal.com/en/ip-address/203.78.110.20/information/
___
Gmail’s Image Display defaults may change your Privacy
- http://blog.trendmicro.com/trendlab...age-display-defaults-may-change-your-privacy/
Dec 18, 2013 - "... this means that all pictures in emails will now be automatically displayed. Instead of being served directly from the site hosting the image, however, they will be given a copy that has been scanned by Google. Officially, the stated rationale for this change is that previously, senders “might try to use images to compromise the security of your computer”, and that with the change images will be “checked for known viruses or malware”. This change affects users who access Gmail via their browser, or the official iOS and Android apps. In the past, there have been occasions where malicious images were used to compromise computers. A number of image formats were exploited in 2005 and 2006, including a Windows Metafile vulnerability (MS06-001), and an Office vulnerability that allowed arbitrary code execution (MS06-039). More recently, a vulnerability in how TIFF files were handled (MS13-096) was found and not patched until the December Patch Tuesday cycle. Properly implemented, scanning the images would be able to prevent these attacks from affecting users... actual exploitation of these vulnerabilities has been relatively uncommon. Exploit kits have opted to target vulnerabilities in Flash, Internet Explorer, Java, and Reader instead. Image vulnerabilities are not even listed in the control panels of these kits. The primary reason to block images is not to block malware, but to stop information leakage. Images are used by spammers and attackers to track if/when email has been read and to identify the browser environment of the user. Email marketers also use this technique to check how effective their email campaigns are. Email marketers have already confirmed that in spite of Google’s moves, email tracking is still very possible. Google’s proposed solution (a web proxy that checks images for malware images) appears to solve a small security problem (malicious image files), while leaving at risk user’s security and privacy. Attackers still have the capability to track that users have read email–and to learn aspects of their browser environment. Users can still revert to the previous behavior via their Gmail settings, as outlined in Google’s blog post:
Of course, those who prefer to authorize image display on a per message basis can choose the option “Ask before displaying external images” under the General tab in Settings. That option will also be the default for users who previously selected “Ask before displaying external content”.
We -strongly- recommend that users -change- this setting for their accounts. Users who access Gmail via POP3 or IMAP should check the settings of their mail application to control the display of images."
___
Fake VISA Report SPAM / payment-history-n434543-434328745231.zip
- http://blog.dynamoo.com/2013/12/visa-recent-transactions-report-spam.html
18 Dec 2013 - "This -fake- VISA spam comes with a malicious attachment:
Date: Wed, 18 Dec 2013 14:32:50 -0500 [14:32:50 EST]
From: Visa [Eddie_Jackson@ visa .com]
Subject: VISA - Recent Transactions Report
Dear Visa card holder,
A recent review of your transaction history determined that your card was used in
possible fraudulent transactions. For security reasons the requested transactions were
refused. Please carefully review electronic report for your VISA card.
For more details please see the attached transaction report.
Virgie_Cruz
Data Protection Officer
VISA EUROPE LIMITED
1 Sheldon Square
London W2 6WH
United Kingdom ...
Attached to the message is an archive file payment-history-n434543-434328745231.zip with a VirusTotal detection rate of 10/48*, which in turn contains payment-history-n434543-434328745231.exe with a detection rate of 10/49**. Automated analysis tools... indicate a network connection to bestdatingsitesreview4u .com on 38.102.226.126 (PSInet, US). This appears to be the only site on that server, blocking either the IP or domain temporarily may help mitigate against infection."
* https://www.virustotal.com/en/file/...f9be643fd0934d67cba387ac/analysis/1387397621/
** https://www.virustotal.com/en/file/...072f644b768386a23f262127/analysis/1387397396/
- https://www.virustotal.com/en/ip-address/38.102.226.126/information/
:fear: :sad:
Last edited:
... As for the malware: Lowish detection as usual, Virustotal 12/44*. Malwr/Cuckoo analysis**. The malware family so far seems to have a MUTEX of "CiD0oc5m" in common, and when run, it displays a Notepad that asks the user to try again later (while the EXE installs itself in the background)... Hosts currently seen pushing the malware include: