With the current news about the deaths of Farrah Fawcett and Michael Jackson, it’s a good idea to remind our readers to beware of blackhat attempts to distribute malware to anyone looking for news.

Every time a disaster happens or news about some celebrity reaches the media, malware writers try to take advantage of it. The most common attack vector is email. Watch out for spam offering links to “news” or “pictures” of deceased celebrities. Most of the time, they will take you to websites offering advertisements for pharmacy products such as Viagra and Cialis or, even worse, will try to install malware on your machine!

But another way to attract visitors looking for news is a technique known as search engine optimization (SEO for short, see more here). Blackhats use SEO to inflate search engine results in an attempt to put their results on top of the list and drive more users to fake websites offering “more information” about the current trendy news. When the users click on the fake links, they are susceptible to any kind of attack, spyware or malware installation, or information theft.

A good way to protect against this kind of attack is to use our SiteAdvisor tool, which can be downloaded for free at this site: http://www.siteadvisor.com/. It will help you identify potentially malicious links on your search results.

And again, repeat with me: No, that email will NOT show you pictures of Michael Jackson’s body; it will just install malware on your machine.

With the advent of Web 2.0, social networking websites have become an easy target for online fraud and other identity scams. Lately, we have seen Twitter being used to phish out personal information, as well as MySpace scams and Facebook spams.

With more than 15 percent of the traffic from India, Orkut is perhaps the most popular and widely used social networking website in the country. Phishers have come up with an elegant approach to social-engineer the not so tech-savvy users on Orkut. They have updated the user profiles of several thousands of compromised Orkut accounts, which now link to various phished websites. These lure visiting users into divulging their personal information.

Various phished websites claim to be the “adult” variant of Orkut. The “Orkut Sex” site has been very successful in luring several thousands of Orkut users into entering their credentials into this fake website. The attackers use the harvested details to steal other personal information for monetary gain.

We have observed scores of websites being used in this phishing attack. Here are a few of them:

• http://orkutsexlogi[blocked].tk
• http://s3x[blocked].kilu.de
• http://orkutst[blocked].tk
• http://album[blocked].kilu.de
• http://priya[blocked].freehostia.com

If you have read this far, I probably don’t need to remind you to look carefully before you enter your personal details on the web. Always make sure that you are safe and protected–and keep away from the rip-offs.

Yesterday, we came across to a new variant of a rogue security program. This one is called Malware Doctor, and we detect it as FakeAlert-D Trojan  with our DAT 5635.

The new variant comes from the following web pages:
hxxp://internetware-sa{blocked}.com/
hxxp://mal-ware{blocked}.net

As do most other rogue security programs, Malware Doctor displays misleading fake alerts to entice users into buying a product to “repair” malware problems.

We also noticed some new features in Malware Doctor. Once installed, it performs a system scan:

Users see a message indicating this “unregistered” version of Malware Doctor won’t be able to heal or remove infected files and asking the user to activate it at a cost.

Unlike many rogue security programs, which displays excessive fake alerts, this version of Malware Doctor reports only few detections so users will not be very suspicious of it.

Once this Trojan detects a supposedly malicious file, it will pop up a message:

This Trojan even makes use of McAfee’s malware naming convention:

This Trojan also displays information of supposedly known viruses whose information is taken from McAfee’s Virus Information Library.

As of today, the malicious website hosting this Trojan makes use of another AV vendor’s malware naming convention. However, the installer for this Trojan no longer exists on the Trojan’s website.

Affected VirusScan users may remove this threat using the latest DATs and engine.

Keep your AV signatures up to date!

Today we at McAfee Avert Labs released an excellent paper on browser attacks. Written by Christoph Alme, this paper deals with the many complexities of browser security and attacks. From the paper:

Web Browsers: An Emerging Platform Under Attack
“The widespread use of highly interactive “rich client” web applications for e-commerce, business networking, and online collaboration has finally catapulted web browsers from straightforward HTML viewers to a full-blown software platform. And as corporate users are performing a significant portion of their work on the web, whether it’s researching or collaborating, the safety of the underlying platform is critical to the company’s success. ”

Other areas the paper covers include:

• The shift in spam to mainly malicious web link usage

• “Web 2.0” sites—whether weblogs, social networking or portal sites—are increasingly spammed with links to malicious sites

• Legitimate sites are compromised and misused to either host malicious code or link to a malicious website

• Use of malicious video banners placed in advertisement networks

• Use of popular search terms to advertise and drive (search query) traffic to a malicious website. In a recent case in Germany, attackers used Google AdWords to attract users who searched for “flash player” to the attacker’s fake Adobe-look-alike site

Download the paper in its entirety here.

Today we released our Spam Report for the month of June. In it we discuss two key findings:

President Obama’s First 100 Days of Spam
Although you might imagine the change of administration in the United States would have a major impact on the Internet, the first 100 days of Obama’s presidency were mostly business as usual in the spam world.

Identifying Spam Trends of the Future
Even though we’ve been told to avoid clicking such links to prevent spammers from learning who we are, many of us forget to be vigilant because the overall detection accuracy of anti-spam products has improved. Recipients may instantly distrust an executable attached to an email, but they often feel unthreatened by a short blurb and a URL.

What does the future of spam hold for us? Spam is all about making money and, as with most businesses, spammer CEOs need to worry about costs and their bottom lines. As long we continue to behave as suckers, spammers will use sophisticated tactics to separate us from our money. Download the full report here.

It was very encouraging to see that more than 40 people came to Budapest, Hungary, to discuss and agree on new industry standards as part of the effort undertaken by the Anti-Malware Standards Organization (www.amtso.org.) The awesome historic surroundings set the mood for our discussions.

Seeing such a great turnout in the current economic climate shows how much AMTSO members care about raising the standards of testing anti-malware products. Especially considering the recent rise in the number of rogue security products (such as the now infamous “Anti-virus XP 2009″), it is clear that we need transparent and fair testing more than ever.

AMTSO members finalized and adopted several new documents to the current portfolio. (Have a look at the collection of documents here: www.amtso.org/documents.html.)

But I would like to draw your attention to two papers that, in my opinion, represent very significant steps for the security industry as a whole.

• The first one is “AMTSO Analysis of Reviews Process,” and it presents the process of analyzing reviews. The creation of such a process paves the way to highlight great reviews and/or to expose substandard tests in public. (AMTSO promises to publish all the analyses they undertake.) I really hope that this process, designed to be transparent and fair, will improve the quality of testing and benefit both the developers and consumers of anti-malware technology. If you have doubts that this process is going to be unbiased I will remind you that AMTSO members work for competing security companies, and there would not be a snowball’s chance in hell to agree on the process if it were not designed to be fair. The next step is to put the “AMTSO Analysis of Reviews Process” into practice. I cannot wait to see how it will go.
• “AMTSO Best Practices for Testing In-the-Cloud Security Products” is the second very important milestone. Some anti-virus products started using “cloud” technologies (such as McAfee’s Artemis, which was launched in the beginning of 2008) and the number of cloud-based products is growing; so there is a need to address the fundamental problems associated with testing solutions that are not under the control of the tester. (That is, part of the product is not “in the hands” of the tester; moreover, it can change at any moment in time.) I think it is amazing that representatives of so many competing security companies agreed on fair and scientific principles of how to test cloud-based products. To be honest, when we started this effort we were rather sceptical about finding a sensible way to address all the problems that testers face when evaluating such technologies. The adoption of AMTSO best practices for testing in-the-cloud products means that our brainstorming was successful. I am very pleased to see the agreed results adopted and published. Thanks for that effort go to all the security researchers who contributed to the document and all AMTSO members who voted for it.

Today we launched a new web film series, entitled “H*Commerce: The Business of Hacking You.” The film series was created to expose cybercrime as a serious and universal threat that can no longer be ignored. Several of our own Avert Labs researchers lent a hand and their big ol’ brains to the project!

The term H*Commerce (or Hacker Commerce) is defined as the business of making money through the illegal use of technology to compromise personal and business data. Starting today, a new episode will be posted every two weeks here until all six episodes have aired.

The project was originally conceived as a series of standalone episodes, each focusing on different aspects of cybercrime: such as phishing, denial-of-service attacks, online scams, bank scraping, and fraudulent emails. As the filmmakers dug deep into the experience of H*Commerce victims, they realized the film’s focus had to be on the complex stories of real people doing normal online things, only to be horribly violated by ruthless cybercriminals.

Seth Gordon, director of films such as the 2008 theatrical release of “Four Christmases,” and the documentary “The King of Kong–A Fistful of Quarters,” was hired to direct “H*Commerce: The Business of Hacking You.” As Gordon began the research phase of the film, he identified an Oregon woman named Janella Spears, who was a victim of one of the largest and most elaborate email scams on record.

Spears’ story of losing more than $440,000, and the dire effects it had on her family and marriage, became the central theme of the film series. Over the course of the filming, Chris Roberts, a third-party cyberforensic expert, was introduced to Ms. Spears to provide advice on how to clean her system, handle the hackers, and help put an end to the cybercrime scams.

Watch, learn, and arm yourself with knowledge. Check it out at Stop H*Commerce.

The fight against cybercrime is showing some very promising progress over the last few years. We are certainly not where we want to be, but we’re on a good path. McAfee’s own Inititiative to Fight Cybercrime has been in force for more than a half-year. Recently our Cybercrime Response Unit was launched; it’s an online help center designed to assist victims (and people who suspect they may be victims) of cybercrime. But best of all: We are not alone!

McAfee has teamed with many other companies and institutions to form the Conficker Working Group and has set a precedent that raises hope for the future. Just this week I attended the Counter eCrime Operations Summit (CeCOS) in Barcelona, Spain. The event was hosted by the Anti-Phishing Working Group (APWG). This year’s meeting focused on the development of response paradigms and resources for managers and forensic professionals who fight ecrime. There were a number of very useful presentations and panels on user education, better interaction among various entities, and case studies on how successful this can be.

Even more important were the small meetings outside the offical program, connecting researchers from security companies, CERTs, and law enforcement agencies throughout the world with each other and talking over how we can improve the current situation. This has been a very productive week. At least I now have some hope for the future!

In March 2009, we notified our customers on a new variant of the infamous Vundo trojan family which we detected as Ransom-F and raised its risk assessment to a Low-Profiled threat.  It was possibly the first indicators of a shift in the FakeAlert criminal model from instilling fear, to holding information technology resources for ransom but certainly not the last.

Last week, we came across to a new variant of a rogue security program branded by its creators as “System Security 2009″ and detected them as FakeAlert-CO, and some of its past similarly branded cousins as FakeAlert-SystemSecurity.

The updated variants were discovered from a web page hosted on trustedw{blocked}security.com.As most other rogue security programs to date, FakeAlert-CO displays spurious alerts and making fraudulent claims of infections that requires the user to pay a fee to “repair”. Following the trend of Ransom-F, we noticed “new features” in FakeAlert-COthat resembles some common characteristics of ransomware trojans.

Once installed, FakeAlert-CO may either terminates all running user process or prompts the user to reboot.

In either cases, it follows to pretend to perform a system scan and report detections of false and exaggerated threats.

What differs it from older variants, is that the user will no longer be allowed to open or execute any applications including Task Manager, Command Prompt or other system and office applications which are terminated by FakeAlert-CO. A message is displayed to the user to indicate that the files are infected and to resolve the issue, the user must activate FakeAlert-CO at a cost.

The “product” website is made to look fairly professional offering an option to purchase a 2-year license, or lifetime support license at a “discount” and even comes with 30-day money back guarantee!

You may be paying for the “best” possible support option, but you can’t trust a “product” that holds your system for ransom.

Uninstalling the System Security “product” will not be an option for the typical user, as there is neither an uininstaller function nor will the “Add or Remove Programs” in the control panel be allowed to be opened via the usual means.

However, the reported infected files are intact, and are not modified in any way. If the user boots into Safe Mode, FakeAlert-CO is not started automatically and system tools and applications can be executed and accessed normally.

Affected VirusScan users may remove this threat using the latest DATs and engine.

We have been getting quite a few requests for screenshots of swine flu spams as well as the e-pharmacy sites they link to. Your wish is our command. …

The image below is a collection of a bunch of swine flu spams:

You may notice several things here. First they are mainly text and links. Next, they use some good keywords: Obama, Gore, Madonna, Salma Hayek, and swine flu itself. Notice the linkage? They all seem to point to the .cn domain. Yes, .cn is China, but they are all redirects. When I looked at the Internic registry info it was a round-robin of Chinese and Russian domains and NS records.

Here is a screenshot of the e-pharmacy they all lead to:

You guessed it. It’s our old friend the “Canadian” e-pharmacy. Very clean and professional looking indeed; make sure you avoid these.

As we have pointed out for the last several days, these people are bottom feeders. My colleague Guilherme Venere quite clearly showed in his recent post that they are now linking directly to malware as well, so it is important to stay updated and educated.

Remember, if you need credible information on swine flu, go directly to the World Health Organization’s website. And if you need meds–maybe a ride to the doctor would be safer.

Following up on Chris Barton’s excellent blog the other day on swine flu spam, we wanted to take a closer look at the numbers…..

Many people may not realize that the words “swine” and “flu” had really not been seen in spam before this past weekend and almost certainly not together in the same subject line, so we kinda started there. Using our Trusted Source technology and intel I was able to pull the following chart on the sheer growth in the words “swine” and “flu” when used just as a subject for the last several days:

Bear in mind that is NOT daily volume growth but rather the growth in its use as a subject.

From the beginning of the campaigns we have seen it generated from all over the world, not really a surprise when one considers the global nature of botnets and spam anyway but the country breakdown is interesting to look at. Seems that Brazil, the United States and Germany are the biggest producers/sources at the moment:

No safe country from spammers eh? When you consider that on any given day there is between 80 to 170 billion email messages with 78 to 90 percent of that number being spam, sending with the subject of “swine flu” gives these criminals a high chance of success due to the media attention the subject is already getting. Social engineering is one of the most successful and dangerous tools at the spammers disposal and it is very hard to protect against.

We have also seen sites with the words “swine” and “flu” pushing malware as well. In this case its a redirect to a Russian-based site that requires our old friend the fake codec be installed to view the movie:

Malware writers, spammers and scammers are low lives. They will use any high media event or high impact news story to push their wares including the sickness and misery of others. Stay vigilant and stay safe. Should you need credible information on the influenza pandemic then go to The World Health Organization website.

Money laundering is a process for concealing the origin of funds generated by illegal means. People generally associate money laundering with drug trafficking, gun smuggling, or corruption. But funds misappropriated by identity theft, phishing, and carding also have to be “laundered.” Today, the mushrooming of virtual money (or e-currency) makes the job easier when you need to eliminate traces of suspicious actions. In the past, E-Gold and WebMoney were frequently under suspicion and had to respond to serious allegations of having been used to transform “dirty money” into “clean money.”

But they are not unique; ECUMoney, Liberty Reserve, PerfectMoney, Pecunix, etc. are also on the scene. As with all digital gold currencies, these exchangers offer nonreversible transactions, which is a primary advantage when you want to manipulate money.

Today, websites proposing virtual money exchanges are numerous on the Internet. They are profitable for their owners because they are subject to significant exchange commissions. It is also relatively safe for the people offering these services. In the past, malware authors explained they created their programs only for educational purposes and were not responsible for any inappropriate use. Today administrators of such websites are trying to claim they are not liable for the origin of the transmitting money.

Here too, the network is turning professional, and many former crooks are now specializing in this field. In October 2004, the U.S. Secret Service arrested people said to be responsible for a set of credit card and identity thefts that had plagued Internet users. It was the result of Operation Firewall. Most of them frequented ShadowCrew, a worldwide marketplace where thousands of members traded stolen credit cards and debit cards, as well as bank account numbers and counterfeit identification documents, such as drivers’ licenses, passports, and Social Security cards.

One convicted person, using Voleur (French for “thief”) as a pseudonym, set up a special payment system for cybercrime transactions. For a 10 percent commission, he exchanged cash for E-Gold, the well-known and controversial digital gold currency. Voleur laundered money for dozen of deals of forum members, moving amounts ranging from $40,000 to $100,000 per week. With about twenty other individuals, he pleaded guilty in November 2005, was sentenced in June 2006, and was released later on.

At that time, Voleur’s work was not institutionalized. But today, I believe, this individual is again in business and manages some websites specialized in giving advice for digital currency activities. One of them is named “Voleur Financial Services”; that’s a tall order!

On another site from the same origin (same administrators), we can see some examples of current fees:

Many people want to seize power in this fruitful business, and there are no holds barred. Enemies of Voleur often spread stories of him on the Internet and do not hesitate to reveal bank account numbers.

U.S. nationals are not alone in this business. At the time of Operation Firewall, an Eastern Europe married couple (he is Russian, she is Ukrainian),  their son, and several other people were arrested after they moved more than $35 million in suspect funds through their company, a pioneer of virtual money exchange. Their office was originally located in the Empire State Building, in New York City. Approximately $20 million flowed through E-Gold digital currency accounts.  It is also estimated they purchased approximately $15 million worth of Webmoney digital currency.

Now, from the Manhattan House of Detention, the main prisoner/offender keeps his blog, gives security advice, and is visited by compassionate countrymen.  Some of his friends (I suppose) still manage such exchange sites from Russia. From one of them, these screen shots show transfer fees and how easy it is to remain anonymous in the world of money transfers.

When you visit the website, you will discover a touching interview made in a U.S. jail and the (presumed) building housing the actual company: a bit empty, but nonetheless prestigious in the New York area.

In early April, at an annual conference of the Association of Russian Banks, Finance Minister Alexei Kudrin explained that many small banks are now “engaged in money laundering”. It seems that many suspicious online companies are also engaged in this business both in and outside of Russia.

The Swine Flu pill spam has started and it’s taking a few Hollywood stars names in vain. Nothing out of the ordinary with the sites on the far end yet though I do expect Oseltamivir [AKA Tamiflu] will get some extra exposure once the affiliate pill sites are updated.

Subjects:

First US swine flu victims!
US swine flu statistics
Salma Hayek caught swine flu!
Swine flu worldwide!
Swine flu in Hollywood!
Swine flu in USA
Madonna caught swine flu!

Also we’ve noticed domain name registrations mentioning the word swine are up by about 30 times and you can bet your daughters it’s not all going to be “whitehat” SEO.

Today McAfee has released The Carbon Footprint of Email Spam Report. The study looks at the global energy expended to create, store, view, and filter spam across 11 countries: Australia, Brazil, Canada, China, France, Germany, India, Mexico, Spain, the United States, and the United Kingdom. The report correlates the electricity spent on spam with its carbon footprint, because fossil fuels are by far the largest source of electricity in the world today. Since emissions cannot be isolated to one country, the study averages its findings to arrive at the global impact. Key findings include:

• The average greenhouse gas (GHG) emission associated with a single spam message is 0.3 grams of CO2. That’s like driving three feet (one meter); but when multiplied by the yearly volume of spam, that amount is equivalent to driving around the earth 1.6 million times.
• Much of the energy consumption associated with spam (nearly 80 percent) comes from users deleting spam and searching for legitimate email (false-positives). Spam filtering accounts for just 16 percent of spam-related energy use.
• Spam filtering saves 135 terawatt hours (TWh) of electricity per year. That is equivalent to taking 13 million cars off the road.
• If every inbox were protected by a state-of-the-art spam filter, organizations and individuals could reduce today’s spam energy by 75 percent or 25 TWh per year, the equivalent of taking 2.3 million cars off the road.
• Countries with greater Internet connectivity and more users, such as the United States and India, tend to have proportionately higher emissions per email user. The United States, for example, had emissions that were 38 times that of Spain.
• While Canada, China, Brazil, India, the United States and the United Kingdom showed similar energy use for spam by country, Australia, Germany, France, Mexico, and Spain came in about 10 percent lower. Spain had the lowest figure, with both the smallest amount of email that was received as spam and the smallest amount of energy use for spam per email user.

Not only is spam related to cybercrime and a nuisance, but it also impacts the environment. Download the study here. It’s worth a read.

Have you ever read an article on the web where you just had to Google a certain term or phrase to learn more about it, or even just to satisfy your own curiosity? The answer is likely yes, and it’s probably a frequent occurrence. That’s what malware distributers have figured out. Here’s an example. A news article about disgraced financier Bernard Madoff made mention of his 55-foot yacht; a 1969 Rybovich. Wow, I bet that’s a spectacular yacht. If you wonder what one looks like, perhaps you might do a quick search for “1969 Rybovich.” One may think such a casual search would be harmless. Think again. It turns out Malware distributors have honed in on the yacht phrase and the top Google results are malicious URLs. We first noticed this on the evening of April 1 when we first read the story and were curious - and our first take was “Wow, they are fast”.    We watched the evolution of the number of google results that presented malware over the course of April 2. The last we checked - even one of the blogs off of my.barackobama.com was utilizing this yacht to lure users.

The search results don’t look so threatening, but if you are to click on the first few URLs, you’ll find differently. Each of these URLs is a rouge anti-virus URL that will distribute malware. Here are a couple of examples…

These two examples should arouse suspicion by now, especially if you’re looking for yachts, but anyone acting in haste, or succumbing to further curiosity will be taken to the malware delivery upon clicking where prompted, and frequently it’s already been delivered even if you don’t click.

This example is quite typical of what you’ll see next when you click, a fake malware scan that delivers the malicious goods. It looks just like an MS scanner!!!

So what about that 1969 Rybovich? What about further curiosity based Googling? Next time you find yourself conducting such a search, do so with caution. Consider if the search result URLs all look similar. In this case, that is first red flag of caution. When you click to go to a link; does the content look like what you expected or is there some unexpected prompt to click? This is red flag number two. One shouldn’t even proceed onto red flag number three to see the fake malware scan. Already you’re taking a dangerous path that is not going to show you anything about Madoff’s yacht.

I ran across a new twist on the by-now well known FakeAlert series. Just in case you have been lucky enough not to have dealt with this malware, it goes roughly like this:

You get an email from what looks to be a legitimate source, or visit a legitimate looking website that is offering the latest must-have application or upgrade. “This thing looks cool”, you think as you happily ignore your IT security friend’s advice against following unsolicited or potentially unsafe links. “Someone must really like me to be sharing this with me”.

So you continue to download the ‘treasure’. Then when you try to install it, it pops up an error - something about being corrupt and the installation cannot proceed. Seconds later, you find that some ‘nice’ company has put an antivirus scanner on your computer and begins to scan it for you. You find out that you are loaded with all kinds of nasty stuff and because nothing in life is free, you have to pony up the money to have your computer cleaned.

Problem is, you may not have had these infections in real life. Except, of course, the one you downloaded and installed yourself. This is but one scenario of the fake antivirus scourge.

So the new twist is that your favorite audio or video application may now assist in this nefarious sale. When you install this application, you will actually see things ‘happening’. You won’t be happily working away listening to the latest pop sensation when this gets loaded. The malware will actually stop your multimedia application and drop your volume to zero. It will likewise prevent you from attempting to restart it. You will start to get more and more ominous warnings about your audio and video codecs being corrupted until your entire desktop background is replaced with a giant ‘Your system is melting down and the world is coming to an end - just click here and we will help you fix it’ message (author’s note: it’s not that dramatic, but you get the idea). Of course to ‘fix’ it, it will cost you.

That said, be careful of this scam. We all would like to whistle while we work, but this may have you singing a different tune (sorry, couldn’t resist the sappy line).

More technical information is available here:
FakeAlert-MCodec

McAfee Avert Labs will now produce more detailed documentation on prevalent threat families. The “Combating Threats” document series is designed to arm security staff within organizations with more information concerning prevalent threat families as well as to provide additional mitigation steps that can be taken. The first two documents in this series, “W32/Virut Family” and “Finding W32/Conficker.worm,” are now available via our blog, prior to our “Combating Threats” web page going live.

UPDATE MARCH 17th

Apologies for the busted links yesterday. All seem to be resolving fine now.

Last week I blogged about how the community forum of Democrats.org was being abused to help manipulate Google’s search results; to lead people to malware.  It appeared that by the end of last week, Democrats.org began the cleanup process of removing all the bogus posts, which seems to have been completed as of this time.  Google’s cache shows that other popular sites were hit as well, including my.barackobama.com and Microsoft’s silverlight.net, which were cleaned up sometime before the end of last week.

In looking a little more at the spammed phrases, it appears as though there are likely multiple groups behind these attacks, perhaps with different agendas.   Some of this is obvious from the formatting of the spam.  The terms themselves also vary, some appear in more dictionary style, while others are more focused on current events, and others still are rather uncommon.  The uncommon terms (including typos) lead me to speculate that at least some terms originated from compromised systems.  There may be a circular nature to this, where unsuspecting victims become infected with one piece of malware, only to have their search terms harvested, analyzed, and subsequently used to entice other victims, but again this is speculation at this point.

The other day I blogged about Google Trends being abused to serve malware.  The attackers were not only targeting the most popular search terms, but also manipulating Google’s page rankings to appear high up on search results.   Shortly thereafter it appeared that Google took action against that attack.  In deed a Google spokesperson confirmed that idea.

Today, Brian Krebs blogged on a separate story, but mentioned that while searching for a related term (pifts.exe), Google returned a poisoned link high on the results list.  After doing a little searching I discovered that the relevant term did seem to appear on Google’s top 100 search terms for a brief period.  However, the other terms I checked on Google Trends did not yield high ranked poisoned links as before.  But, I did come across a potential source for the page rank manipulation aspects of these attacks;  www.democrats.org, which is “Paid for by the Democratic National Committee “, and linked to from www.barackobama.com.

It turns out that this high-ranking website has a community blog feature that allows anyone to create a blog and post whatever they want.  Attackers have flooded this forum with bogus posts and thousands of links for more than a month.

Blog spam such as this is not anything new.  However, this highlights one significant effect of such spam and underlines the cause and effect relationship of security on the web.

Web searches are immensely useful and quite powerful.
Web 2.0, where a community of users contributes content for the betterment of the community can be a great thing.
But combined, a bad apple (or thousands) doesn’t just hurt the community; it can hurt a significant portion of the Web itself.

The third edition of our monthly spam report was released today. This edition discusses some fascinating topics. Key findings include:

Spam campaigns are taking advantage of “partitioning” to increase their effectiveness and combat the efforts of security tools to reduce their reach.

Replica-watch spam has taken over the number one position for holiday spam.

Business leaders and legislatures have promised to stamp out spam, yet the plague persists. Does reputation-based security hold the key?

Putting a dollar value on productivity lost due to spam.

The topic of lost productivity and bringing quantifiable numbers to the impact of spam on a business is particularly interesting and worth a solid read. Download a copy here.

The other day I blogged about Google Trends being abused to serve malware.  The attackers were not only targeting the most popular search terms, but also manipulating Google’s page rankings to appear high up on search results.  It appears that Google may have squashed those attacks, at least at the moment.

The pages that were coming up while searching Google seem to be purged from Google’s index.  The pages may still be found on other search engines, though not ranked as high.  This is also visible in stats I started gathering yesterday.

I took the top 100 search terms for each day of this week and ran a Google search on each term.  I then considered the top 10 search results for each term, looking for poisoned links with high rankings.  Admittedly it would have been better to gather the search results on each day, rather then running the test several days after the fact, but none the less the limited results do suggest that Google took some recent actions.

The following graph shows significant activity prior to mid-day yesterday.

We can assume the attackers will be looking at new and creative ways to circumvent any countermeasures that may be in place.

Search safe.

The other day a worm, often referred to as “Error Check System” was spreading on Facebook.  In fact if you searched for information on this threat, your search results were poisoned to lead unsuspecting victims to a site that attempts to install a rogue anti-spyware Trojan.  Some folks blogged that this search connection was “too much of a coincidence“, and that the Facebook part of the threat was a “red herring“.  I do not believe this is the case, and here’s why.

Last week I was following up on a comment made to the McAfee Avert Labs blog.  The URL provided by the visitor (**********.******.bee.pl/waledac_botnet.html) redirected to another site that attempted to install the same trojan.  Running a search on part of that URL yielded hundreds of search results, many that were placed high up on Google’s results.  The summary text was relevant for the search term and it’s clear that those behind the redirects are manipulating the internet (Google); by not only getting their newly created sites to appear high on the search results page, but also to display relevant text in the page summary section, and for the hottest terms.  Here’s one example, ironically related to the recent Gmail outage.

You’ll also notice that the page summary is identical to the top search result, taken from Google News.  Looking at more search results it is clear that the attackers are targeting popular search terms.

 Other searches show the results using all lowercase titles, the same as used by Google Trends.  In fact, checking some of the top Google Trends links we can see that the abusers are hitting it (ash wednesday 2009 was the #1 search term at the time of this writing, this is image was edited to fit on the blog).

The notion of malware distributors abusing Google Trends is not new, and received some attention in October of last year.  However, I do not recall previous attacks being as aggressive as the current ones, being distributed across numerous sites, targeting many many high-profile search terms, and having the poisoned links regularly appearing high up in the result pages.

Once a user visits one of these poisoned links, the destination page references a script file (style.js), which is obfuscated.

Decoding the script shows that it redirects the user based on the referring URL being “google”,”msn”,”yahoo”,” comcast”,”aol.com”.  This is just one of the many ways the bad guys focus their attacks on potential victims, while making it a tiny bit more difficult for others to discover it.  Once you’re redirected, it’s situation normal for the attackers, various fake alert and scanning messages and windows appearing, ultimately leading to the installation of a FakeAlert trojan (such as one of the 9,500+ known binaries identified by McAfee as FakeAlert-AB).

If you made it down to the bottom of this blog, I probably don’t need to remind you to look carefully before you click, on the Web.

A new spam run is on the loose, misusing the global economic crisis as its social-engineering vector. Consumers looking for a bargain should take care, because the bad guys exactly want to fool people trying to save some money these days. Spam mails promoting bargains, which could help in the recession, are hitting the inboxes right now.

When users follow a link in such spam mails–but please don’t do that!–a website like the one below appears:

After the Valentine’s Day theme, the malware authors behind the Waledac botnet changed their lure to promote free coupons, pretending to “save” consumers a lot of money. The text states: Exclusive sale coupons and deals at over 100 000 stores in <City>, <Country>. You can find these amazing sale offers and coupons ONLY HERE! You can download free online and printable coupon list. In our list there are most popular stores, restaurants and companies in <City>, <Country> with discounts up to 95%. We help you to survive this crisis! The coupon list is named “couponslist.exe,” “sale.exe,” or “print.exe”–and, in fact, is malware.

In economically hard times, the malware authors do not rely only on clever and timely social engineering, they also include a malicious IFRAME in the website that refers to malicious code trying to exploit unpatched computers with an additional drive-by infection. Furthermore, the website is craftily designed. The bad guys are using geo-location services to better target their audience. So when someone connects to the website, it determines the geographical location on the fly and presents the actual location in the website texts. When a victim sees coupons for exactly his town, this will increase the demand for the bargain list.

As a last piece of advice we can only stress again that consumers should always take care with offers that look too good to be true–even more so in the hard times of a global economic crisis. Please also refer to our predictions for 2009 “Cybercrime, Online Threats, and the Recession.”

Following our warning, last week, of the possible scams related to the approaching Valentine’s Day, it’s no surprise that today we’ve seen another new Valentine theme come up–hosted on the fast-fluxing Waledac botnet. If a user were to follow the link in these spam emails–and please don’t do that!–a web site like the following would appear:

A picture with two adorable Shih Tzu puppies is wishing a Happy Valentine’s Day. The text of the lure is advertizing a “Valentine Devkit” named loveexe.exe or start.exe. And regular readers can guess it already: This is a social-engineering trick to convince users to download the real threat. Don’t click the link to the executable or you will end up with malware.

A close look into the website’s source code doesn’t currently reveal any additional drive-by infections nor downloads (but that can change quickly), as seen in past Waledac (or “Storm”) themes. Coverage of this particular malware variant is in the 5522 DATs, plus blocked by Artemis, plus blocked at the (former Secure) Web Gateway as well.

As the recession continues and unemployment rises, we foresee the top cybercrime trend for 2009 as the continued exploitation of the financial crisis to scam people with fake financial transactions services, bogus investment firms, and fraudulent legal services.

A related trend will be cybercriminals targeting people looking to advance or change their careers through further education. McAfee® Avert® Labs researchers have seen major spikes in diploma and advanced-schooling scams that have coincided with major corporate workforce reductions in the car manufacturing, chemical, and technology industries.

Our Main Threat Predictions/Trends for 2009:

• Threats on Social-Networking Sites. Cybercriminals no longer deliver threats only via spam. They are taking advantage of Facebook, MySpace, and other popular social-networking sites. McAfee expects this trend to continue throughout 2009, eventually displacing more traditional ways of malware distribution such as email.

• Personalized Threats Speak Your Language. McAfee expects to see the continued expansion of malware in languages other than English. Cybercriminals have come to realize that by diversifying into a global market they can access even larger pools of valuable identity and confidential information.

• Malware Targets Consumer Devices. McAfee expects increased attacks involving USB sticks and flash-memory devices used in cameras, picture frames, and other consumer electronics. This trend will continue due to the almost unregulated use of flash storage across enterprise environments as well as their popularity among consumers.

• Security Software Scams. The malware underworld is using mainstream practices in an effort to “sell” security software that is either misleading or outright fraudulent. McAfee expects this trend to continue.

• Abusing Free Web-Hosting/Blogging Services. Websites such as Geocities, Blogspot, and Live.com allow anyone to create a public website for free, without the authentication necessary when purchasing a domain-name website. This gives spammers the opportunity to run their underground business with minimal expense. Spam from do-it-yourself social-website-hosting providers arrives at its destination with far greater frequency than links pointing to domain names assigned by legitimate registrars. With little to no threat of punishment for their hosted content, and the new restrictions on short-term domain tasting, the attractiveness of free bandwidth offered by these sites will undoubtedly draw greater focus from malicious parties.

• More Targeted Phishing and Corporate Blackmailing. Botnets, a.k.a. zombie computers, that spread into corporate networks and financial datacenters will increasingly be used to gather sensitive information that can be used for blackmail or sold on the underground market.

• Browser-Based Attacks. Cybercriminals will increasingly attack via web browsers as they are the least-protected and, therefore, easiest way to transfer malware.

• Security Breaches of Confidential Data. Information that is managed by partner and subsidiary companies of bigger companies will be exposed more frequently, forcing an overhaul of data-security practices.

• An Increase in Localized Phishing Campaigns. Online scammers will increasingly target specific communities, especially on college campuses, where professional-looking emails claiming to be associated with the school’s financial or scholarship department will be blasted to all the students at the school. This is a significant danger to people who are just becoming responsible for their own finances.

• More Scams Involving Home Businesses. “Legitimate” home business scams generally involve either a pay-up-front and do-it-yourself kit, or a pay-to-play shell game of training and certification. We’ll see more of it on television, and the same infrastructure that supports diploma spam and confidence fraud will adjust to the new unemployment reality and will offer people some new bait on the old check-cashing scam.

• Increase in Forging and Abuse of Free Email Services. The free email services have started to allow accounts to send mails with arbitrary “from” addresses. This has increased the usability of these services significantly to businesses, but has also increased the “abusability” by spammers.

• McColo: The Effects of a Takedown. Spam traffic took a tremendous dive in volume when ISPs pulled the plug on spam host McColo Corp., the source of up to 60 percent of worldwide spam. In 2009, we expect to see a continued shift in organizations, from passive support of law enforcement to an active role of working collaboratively with ISPs and global Internet entities such as ICANN.

• New Businesses to Replace Lost McColo Hosting. Hosting companies will be set up in countries that are eager to embrace a burgeoning Internet market and will offer services to replace the disrupted command and control centers formerly hosted by McColo. These may be used as pawns by entities that perceive strategic value in sculpting the battlefield of the future.

In conclusion, McAfee recommends that you keep your security software up to date, implement layered defenses, and educate yourself on the trends of the day. Download our February Spam Report and 2009 Threat Predictions to read further and in more depth on these trends and issues. Remember: The cybercriminals read the same news that we do.

Since at least the year 2000, email scams have circulated around the net for the selling of International Driver Licenses. The authors explained that with their documents buyers could avoid having to pay traffic tickets as well as allowing them to establish new identities for hotel check-ins or bar entrance (if the buyers are underage). Lately these offers have put on weight.

Yesterday, I came across such an ad; it was in French and promoted a site offering a replacement driver license in place of a regular one:

Due to its name of (backdoordl), the website aroused my curiosity. I followed the link and, one thing leading to another, I discovered the extent of this fraud.

At backdoordl, I found a professional website divided into three areas: French, German and English.

In the UK area, I recognized text that was similar to what I first saw in French:

Have you lost your existing licence? No problem! Can’t remember the details? No problem! Need a clean licence? No problem! Need motorcycle, car, bus, hgv entitlement? No problem! Over 65? No problem! Medical problems? No problem!

There are 110 models of drivers licences in current use throughout the European Union, that’s not to mention drivers licences issued outside of the EU that are still accepted for exchange in different EU countries. This service is directed at any resident or non-resident of the United Kingdom or EU that wishes to obtain a full driving licence without any tests. So no matter what country you are a resident or citizen of, they claim they can help. Even if you live outside of the UK or EU! Once you have a driving licence through them, you can exchange it in your own country for a local licence. EU driving licences are accepted ‘as is’ worldwide for driving and exchange. It does not matter what nationality you are!

The office address, undoubtedly fake, written into the contact page was in the UK. There was no phone number; they said it would be provided only to clients who ordered. Despite some inconsistencies here and there, it was also explained the company did not accept any postal contact.  Because photo and signature were needed to create the new driving license, they had to be scanned by the buyer and then sent via email.

The registrar was ENOM Inc. and registration details protected via “WhoisGuard” service thus masking the true identity of the domain-name registrant and preventing public access to that information through its (and any) WHOIS database.

Getting on with my searches, I discovered the backdoordl site was not unique. Almost half a dozen nearly exact copies were also easily available online:

Domain registrants’ WHOIS information is also hidden or made with seemingly bogus data.

At backdoordl and its clones, prices seem consistent: £359 GBP or 399 Euros with payment encouraged via Western Union. There are two ways to obtain the documents:

First way is to exchange your current driving licence, you complete our application form and we print it out and translate some of your driving licence and translate the application form, put it all together and apply for an EU licence. This is a way to obtain driving categories that you select on the application form as the foreign issuing authority will look at the translation and not the licence.
The second way is to make a declaration that your licence has been lost/mislaid/stolen in a certain country that we know about. No other proof that you have even passed a test is required, just your sworn declaration. They will issue you with a temporary driving licence which we can then get translated and exchanged for an EU licence. SNEAKY? Yes, but Illegal? We have been advised NO.

Announced license process is said to take approximately 21 days.

I also discovered this language localization was not unique. During further searches, I found the AldaLegal offer and its clone, DLtransfer. Here too, these crocks speak your language. Sites are not only available in French, German, English, but also in Spanish and Chinese.

Here, the offer is better rounded and not limited to European Community:

For both sites, the company address written at the contact bottom pages is the same: in Australia (215 Harris St., Sydney NSW 2009). Using Google I got hold of a Word document at the bottom of a directory path: a standard letter perhaps used by the guy behind this rip-off. It would appear they also offer help for illegal immigration.

Finally, two other sites attracted me: eudriverlicence and licencetoday. Here too, the seller expresses himself without restraint:

They clearly explain the two ways to obtain such a license. As before, with the first one the buyer has to provide partial information of his actual license. As result, crocks promise an EU Driver License coming from one of the following countries: Cyprus, Czech Republic, Estonia, Hungary, Latvia, Lithuania, Malta, Poland, and Slovenia. The price is around 400 Euros.

With the second way, for applicants who do not or cannot submit any license details (only scanned photo and signature via email), the sites explain they can apply outside the European Union (Africa or a South American country):

All you need to do is check box A “Outside the E.U. Temporary Drivers Licence” on the application form and by ticking the box you declare you have had your licence lost/mislaid/stolen. Then by submitting the application along with further forms, which we submit, we can then obtain a temporary driving licence.

Here a 100 Euros extra-service cost is applied. In this case the total cost becomes 500 Euros.

These sites are not fully duplicated, but the texts look very similar. One company is Martin and Benn Associates. Its address is said to be in Gibraltar (Victoria House, 26 Main St.). The other is said to be in Germany.

At fraudwatchers, a contributor in Gibraltar went down to the alleged offices of Martin and Benn Associates. He didn’t find it, neither in the building, nor in the Gibraltar telephone book. To prove this, he provided the following picture:

The risks are numerous in a story like this. The first one: You are not assured to receive this document. For sure, your bank account will be debited, but getting the license in return is less certain. And fear the worst for your personal data (plus your photo, plus your signature) that you will send to these guys. This information would be perfect for making forged papers.

Depending on regional laws, it may or may not be legal for these companies to produce such documents and to sell them to you, but it may not be legal for you to carry them, or to use them as a driving license. At the drivers.com website, they provide the truth:

• An International Driving Permit is merely a translation of your regular driver’s license into almost a dozen languages.
• It is not a driver’s license by itself.
• You must still carry a valid, regular license from your country, even if you are also carrying an IDP.
• Yes, the United Nations created a treaty, now signed by about 150 countries, but the IDP is not a license by itself. It is mainly to help police read licenses written in other languages.
• You must purchase an IDP in your country of residence.
• You must have a legal license from your country of residence in order to get an IDP.
• No, you cannot use the IDP as a “license” inside your country of residence.
• No, you do not get a new, separate driving record with an IDP. They cannot be used to hide violations or tickets: These are still recorded on your regular driver’s license.
• Most countries authorize only certain organizations to sell IDPs. Check with your local government driver’s license authority.
• In the USA, only two organizations are allowed to sell real, legal IDPs: the American Automobile Association (enter your location carefully), and the American Automobile Touring Alliance, which offers IDPs through the National Automobile Club.
• In Canada, the only authorized distributor of legal IDPs is the CAA. Canadian IDPs are not valid in the USA.
• In the USA and Canada, the cost of a real IDP is about $10.

Being French, only one question left for me as I ended this post: Why do all these guys write “licence” with two “c’s”? I found the response in my dictionary: In the UK, “licence” is the noun and “license” is the verb. In American English, however, the noun is also spelled license. Another lead for the police :-).

China’s use of zombies for spam is down, but the country now leads the United States in McAfee’s February Spam Report, available here for download.

The United States has long been the leading supplier of spam, but with the overall amount of spam decreasing, China is catching up. It’s not clear what China is doing, but the vast amount of computers that have been controlled by zombies are no longer being used for that purpose. One certainly has to wonder what they are being used for.

Additionally, in Switzerland (owner of the .ch domain), we have seen a big increase in the amount of spam offering “cheap” software.

Clearly, money and profit are still the driving forces for malware and spam these days.

An innovative social-engineering technique in which the virtual world meets the real world was described recently by SANS analyst Lenny Zeltser. The original post can be found here.

Apparently, yellow fliers were placed on vehicles in a parking lot, and the fliers claimed that the vehicles were in violation of parking regulations. The fliers further stateed that the owner could visit a certain website to get more information and pictures about the offense.

Upon visiting this website, the innocent victims were requested to download a toolbar [PictureSearchToolbar.exe], which claimed to let them search for more pictures of their vehicles. However, what this toolbar really does is download malicious files from the Internet; those files in turn downloaded more malware.

Here’s a screenshot of the website:

McAfee detects the original toolbar [PictureSearchToolbar.exe] as Vundo.dldr!1231E9AC from DAT Version 5516 onward, while the dropped and downloaded files are already detected as Vundo Trojan.

I was dealing with customer escalations the other day and came across this interesting sample. If you believe the filename install_wrar380.exe it would install WinRar on your system, for some reason I didn’t believe it .

Upon execution, the installer displays a EULA. I have copied and pasted some of the detail below:

“THE COST OF EACH SMS FROM THE USER’S MOBILE PHONE IS TWO POUNDS. UNLESS OTHERWISE SPECIFIED, THE DOWNLOAD COST SHALL BE FOUR SMS.
Please read these USAGE CONDITIONS carefully and, if appropriate, use the download service which shall imply the express and complete acceptance of each and every one of these USAGE CONDITIONS. Otherwise, please close this website.
Netlink Network Corp. offers a PREMIUM high speed download service that is efficient and virus free. In exchange, the user shall first send two SMS under the conditions specified in clause 2.2 that defines the commercial conditions of the service”

These two sections really caught my eye. From what I understood I was going to be charged £8 in the form of 4 SMS text messages so that I can download WinRar. Alarm bells started to ring.

I clicked ‘I agree’ and was prompted for a code. To get this code, I would have to send 2 SMS text messages to 78*** (Number has been blanked out for security reasons) with the text body ‘CD’ and I would be charged £3 for each text message. This was different to what the EULA said, but as it was cheaper I wasn’t going to argue. Also note how the text is almost the same color as the background to make it difficult to see.

As I was interested to find out if it really would install WinRar, I went to my local mobile phone store and bought a mobile phone, put £10 on it and sent a text message to the number. To my surprise, I received a text back saying:

“SMS 1/3. Price per SMS: 3 Pounds. Total cost: 9 Pounds.”

It now cost me £9 instead of £6 to download some free software. This was also more than the £8 the EULA said it would cost me. I received a further 2 text messages and the final one was labelled 2/3 even though it was the 3rd. I guess they don’t have QA. You can see the text messages I received below:

I entered the code and clicked on the ‘Install’ button. The software downloaded WinRar and went on to install it for me.

I found the website which the sample came from and it displayed the following text at the bottom of the page:

“This website does not belong to any member´s program. This program should be used based on rules of intellectual property. You may obtain this program for free from the official homepage. Using or applying cracks, serials or keygens is strictly forbidden. This portal will not be held accountable for inappropriate use of the program. Your query has been sent succesfully. You will receive an answer shortly. Thank you for using our services. Due to technical issues, your query could not be sent. We apologize for the inconvenience”.

So they admit that you can download this software for free from its official homepage. They are clearly trying to trick the unsuspecting user to pay for free software.

I thought perhaps they have done this with other free software, I did some investigating and found several other websites which are registered to the same company and they offer several other pieces of free software for the small price of £6 or £9 as I found out.

I found installers for Messenger Plus! Live, WinZip, WinAce, 7Zip and several others. All of these can be downloaded for free from their official sites.

The websites are aimed at English, French and Spanish users. Luckily for our European friends, they can pay for the free software in Euro’s.

While navigating these sites, two different company names kept popping up. Netlink Network Corp and Soletto Group, S.A., I did some quick searching but couldn’t find any details on these companies.

Some of the domains had been registered as recently as late last month, so I believe we are likely to see more pop up.

I pulled all the executables I could find on the websites and added detection as SMSFraud.

Please be on the lookout for these in the future as you don’t want to pay for something which is already free.

Today, we at McAfee Avert Labs released our 2009 Threat Predictions. Amongst the findings are:

Threats Hide in the Cloud
Miscreants have also transitioned to the Internet “cloud” as their main delivery vehicle and take advantage of the attractions of Web 2.0. McAfee expects this trend to continue throughout 2009, eventually displacing more traditional vectors of malware distribution.

Personalized Threats Speak Your Language
Threats will continue to take evasive action against security measures. One example is the existence of single-use binary files, which are an attacker’s equivalent of a single-use credit card number used by consumers when shopping online. These binaries help to create a vast sea of threats, which will make it harder for victims to describe their assailants, and make it harder for defenders to catch them. Additionally, McAfee expects to see the continued expansion of malware in languages other than English. Cybercriminals have come to realize that by diversifying into a global market they can access even larger pools of valuable identity and confidential information.

Malware Targets Consumer Devices
McAfee expects increased attacks involving USB sticks and flash-memory devices used in cameras, picture frames, and other consumer electronics. This trend will continue due to the almost unregulated use of flash storage across enterprise environments as well as their popularity among consumers.

The Rogue Web and Malvertising
Last year McAfee also saw the malware underground use mainstream practices in an effort to “sell” software that was either misleading or outright fraudulent. McAfee expects this trend to continue as cybercriminals still see a lucrative market in this area.

McColo: The Effects of a Takedown
Spam traffic took a tremendous dive in volume when ISPs pulled the plug on spam host McColo Corp., the source of up to 60 percent of worldwide spam. In 2009, we will see a continued shift in organizations, from passive support of law enforcement to an active role of working collaboratively with ISPs and global Internet entities such as ICANN. Together, these organizations will shine the public light on these malicious actors and shut down their access to network and systems infrastructure.

Download the full report from our whitepaper page here.

Today we at McAfee Avert Labs released the first of our new monthly publications: the “McAfee January Spam Report.”

Within its pages you will find excellent information on current spam trends, campaigns, and maybe even some “winners and losers.” Some of the highlights of the January issue include:

Political Spam
Tax Relief Junk Mail
Unemployment and Diploma Spam Increases
Christmas E-Cards

As well as some 2009 spam predictions! Definitely worth the download and read. Watch for our February issue in about four weeks. All spam reports, as well as other white papers, are available from our whitepaper download area here.

LinkedIn is a popular social networking site where you can manage business contacts online. Since you can set up a profile with links to your own website, it seems to attract criminals’ attention as well. A Google search reveals that several hundred fake LinkedIn profiles from nude “Kirsten Dunst” to nude “Hulk Hogan” exist already. The rogue profiles look all alike, with a picture of the celebrity and three links to the parts of the “nude video” like shown in the following picture.

This is exactly the lure - don’t follow these links! The linked websites contain obfuscated script code which decodes to a simple browser redirection. This obfuscated script code is proactively detected by McAfee as “Exploit-IFrame.gen.c” already.

If you’d follow the link (don’t do that!) to see how deep the rabbit hole goes, you will end up with a Traffic Management System like described in this Avert Labs blog entry. On every reload the server-side application will point to a different domain.

So when an unsuspecting user gets tricked to follow the lure, he will end up on different malicious websites trying the classical social-engineering tricks of either the “missing video codec” or of showing a fake AV scan and telling that the user his computer was infected with malware and offering a “free” AV scanner software, which in fact is the real threat. So beware when following links, even on trusted Web 2.0 platforms like LinkedIn. Especially when they promise some nude celebrity videos.

The current crisis in Gaza between Palestinians and Israelis marks a renewal of web defacement activities. Various Morocco hacker groups have been pointed out by the press; the best known is “Team-Evil,” which just hacked the Ynet Israeli news site.

This weekend, I read various French posts speaking about ethical hacking and “e-jihad” operations made by “pacifist hackers” motivated only by their political ideology. However, reality is sometimes different from perception, and one hacker may conceal another.

On New Year’s Day various web sites were hacked by people introducing themselves as “Morocco & Gaza Hackers” or the “Team Cruel Boys” group.

On the defaced page, one attacker–whose email address is m0×0m_at_hotmail.fr–introduced himself as “M. SoOoSo.” His message seems clear: “I’m not a saboteur, and I didn’t hack this site as an act of sabotage.” At first glance, this guy could gain some sympathizers of the Palestinians’ cause.

But the story is not so simple. A week before, on Christmas Day, I heard about a phishing attack against Orange.fr, a French Internet Provider. Using a mirror site, hackers tried to intercept user names and passwords to access emails and personal data.

Speaking with the discoverers of this identity theft attempt and looking at the code, I noted the stolen data were sent to the same m0×0m email address. Moreover, the PHP script was named soooso.php. What a curious coincidence!

A second email address pointed to another possible Moroccan. As result of some searches I made today, I would not be surprised if this second guy (if it is not the same as the first) was also involved in some fake auction operations.

Of course I can prove nothing, but it would not be the first time we have heard hackers claiming to be ethical “white hats” who are really engaged in criminal activities.

Today a new downloader trojan is being spammed widely. This spam message arrives as a reply to the victim’s query of asking for the wire transfer.

When users run the file “bank_statement.scr” in the attachment zip file, it downloads the BackDoor-DSG trojan, while in the background it downloads an innocent pdf document from a legit site and opens it for deception. The pdf document, however, is not relevant to the wire transfer.

We see that the trojan file is repacked for each message, thus none of them are identical. In addition to that, this time the malware authors are changing resource sections in those pe files such as Icons, and file properties.

For example, we observed following icons:

Other resources:

File Descrption:

• Auto-reader Module
• Reader_Module
• Adobe Reader HSMC
• Adodb_SSL_reader

Translation:

• English
• Spanish
• Korean

CompanyName:

• Adobe
• ADOBE

These crafted resources, as well as the malicious code, are the result of server-side polymorphism to attempt to evade detections by Anti-Virus software. McAfee Avert Labs detects the current wave of the downloader as BackDoor-DSG.dldr trojan, and dropped files as BackDoor-DSG with DAT 5474 or later.

Many of us consider the Internet community to be a collective conscience, and consider the dirty schemes that tricked us once upon a time to now be common sense no-nos. Unfortunately, newcomers to the Internet community do not (yet) have a means of digitally absorbing all of the wisdom we’ve learned as web-surfing veterans. While today, you’re likely to look at someone who’s never been on the Internet as an alien life form, many new users are surprisingly logging on for the first time. Even in the US, the advent of cheap broadband is leading more schools, offices, and households to incorporate the Internet as an everyday way of life, and with that come a lot of nuances. In addition to this, scammers are getting smarter and finding new ways to trick seasoned Internet users. Even if you’ve been online for years, it can sometimes be difficult to spot new tactics being used to e-mug you.

While it’d be nice to think that common sense will always protect you, common sense alone has shown to be only marginally effective against the evolving online fraud syndicate. The FBI’s 2007 IC3 summary reported over 200,000 complaint submissions of online fraud, up from the mere 16,000 complaints received when the program began in 2000. Of the complains received, the typical kind of scam that would give your common sense a chance to flex - Nigerian 419 scams - represented only a mere 1% of all complaints, suggesting very few people are falling for these anymore. Instead, the new big-ticket item in the underworld of fraud is phishing. Phishing is considered by the FBI as “foremost” among email based scams, and seeks to illicit information about a person’s identity – such as credit card and social security numbers, and other information which can be used to commit crimes of identity theft. Phishing is a smoke and mirrors trick designed to fool you into thinking you’re logging into your bank or credit card’s website, when in reality you’re using a mock-up site designed to steal your personal information.

Online fraud and identity theft crimes consisted of over 17% of the total complaints received in 2007. It’s no surprise that online fraud is growing given how lucrative fraud scams can be. In 2007, over $239 million was lost by those reporting complaints to IC3. This set a new record for financial loss, and yet the number of actual complaints was at a three-year low. The complaint count was similar to that of 2004, yet in 2004, only $63 million had been lost to scammers. This suggests that scammers have become much more efficient than they used to be. Today’s criminals clean people out of more money, and do it with less effort.

It’s no surprise too that 32% of these scams were perpetrated using a website, and 73% involved email correspondence. It’s relatively inexpensive to deploy a phishing site kit on hundreds of hacked or free web servers and then send out millions of email messages to hook the few unsuspecting individuals who fall for the bait. While a specialist in the field might recognize the site to be a forgery, the average computer user has only a few basic instincts to know whether they’re safe.

Most Internet users will apply some form of common sense rules when visiting a website. The most valid question they can ask is, “does the URL in my address bar match that of my financial institution?” Simply applying this one basic rule can thwart a majority of phishing attacks. Applying the wrong types of common sense assumptions can be dangerous. Replies from victims such as, “the website looked real to me”, and “the link in the email looked right” are not uncommon, and are usually the result of being taught a few bad habits.

Scammers are working actively to outsmart their victims, but what the victims might not know is that there is another factor also working against them: their financial institution. Even after years of knowing how phishing sites operate, many banking and credit card institutions continue to teach their customers bad habits by conditioning them in ways that poison their common sense. None of this is done maliciously, of course, but somehow their webmaster never got the memos about phishing. Some of the bad habits your financial institution might be teaching you include: 

Click This Link

After years of knowing this is a bad idea, many legitimate websites are still sending email messages to their customers with clickable links. Clickable links have been abused by phishing scammers since the beginning because they allow you to craft a web address that displays the legitimate institution’s website URL in the email, but will take you to the scammer’s mock-up website when you click on it.

Using clickable links in correspondence conditions the customer to fall victim to these types of scams, and causes them to ignore the URL in their address bar. 

Email sent from your company should never instruct a user to click on a link. Instead, instruct them to simply visit your website. If you must provide a URL, provide it in plain text and keep it simple.

Paste This Link

Almost as bad as clickable links is the practice of instructing a customer to copy and paste a link into their browser. This is another common bad habit that has been exploited by scammers to steal your personal data. Many scammers simply remove the leading www prefix, or the http:// protocol prefix to avoid filters from seeing the URL in their email. This conditions the customer to assume the link is valid because it’s not clickable, and might also prevent them from visibly confirming the URL.

Email sent from your company should never provide a URL so complex that it must be copied and pasted. Provide only the main URL to your website, which the customer should be able to identify with. Anything overly complex should be linked to from the website once they get there.

Multiple SIgn-On Domains

A customer can only know if they’re visiting a legitimate website if the URL in the address bar matches. Many large banks, however, have taken on the poor practice of using multiple domains, and sometimes even using outsourced, third party URLs, to sign customers in. This confuses their customer and conditions them to disregard the URL in the address bar, since they’ll never know if it’s right or not.

Your company should use a single sign-on page and only one domain name for a customer to identify with. Like the entrance to a concert or other special event, your website should funnel everyone through one central line. This will avoid confusing your customer about which domains you’ve registered; most customers don’t know how to look this information up.

Multiple Sign-On Pages

In addition to using multiple sign-on domains, many companies use different sign-on pages to log into different types of accounts, or present different pages depending on where the customer is navigating. This desensitizes the user to the look and feel of your website, making them more likely to miss the variations in counterfeit websites, which might have otherwise raised a red flag. 

The customer should not depend on whether a website “looks” real, however when they are desensitized to the layout and branding of your sign-on page, you increase their likelihood of falling for a scam. It is said that bankers are the best at spotting counterfeit currency because they work with the real thing all day. Your customers can be taught to spot a forgery simply by using one central sign-on page. This page should also have a simple URL that the user can become familiar with. All other pages on your website should link to this one sign-on page.

Log In To Verify Your Account

Scammers have used various forms of fear mongering for years that have tricked victims into logging in to verify account details. Some of these scams include informing the victim that their account is suspected of fraud, that the account has been suspended, or that they will need to verify their information to avoid an account lock. All of these notifications advise the victim to make an urgent effort to log in.

When a customer is under duress, they are more likely to skirt their normal common sense checks to address the problem. Companies engaging in this same practice cause their customers to get into the habit of responding to these types of urgent notifications, increasing their chances of falling victim to a bogus one. If a notification is urgent enough to warrant an account lock, it is important enough to be delivered to the customer via telephone, and with proper verification procedures to identify your company to the customer. Sending urgent messages via email is only inviting trouble.

Security Images

Many websites employ security images to convince the user that they can feel safe logging in so long as they see a teddy bear, a train, or some other image they choose from a library when creating their profile.  As phishing scams become more complex, scammers’ websites can easily start acting as proxies to the legitimate website. This isn’t in widespread use yet, but a few isolated incidents have been seen, and the technique is easy to craft: when you enter your username into the phishing site, the site turns around and queries the legitimate website for your security image. It can then display the security image to the customer to gain their trust.

Security images and other enhancements are an added layer of security, but your customers should be aware that they can be easily spoofed. Instruct your customers to rely on the website URL, rather than a security image, and to only use the security image as an added means of verification.

In addition to these bad habits, many companies avoid addressing the problem entirely, and teach their users that they can protect their account by employing policies such as strong passwords or usernames requiring a digit. Security questions are another common layer added to websites that don’t do much to them more resilient. None of these techniques will necessarily have any affect in strengthening security against a phishing attack, because the customer is providing the information directly to the scammer’s mockup site. Even revolving security questions can be easily phished when the scammer is familiar with the questions prompted by the institution.

Identifying legitimate correspondence is the first line of defense a customer has in avoiding a scam. The best thing you can do as a company is to inform your customer that you will never prompt them to click on or paste a link, never instruct them to enter their credit card number online, and familiarize them with the only website URL they should ever associate with your company.

Unfortunately, many websites still teach bad habits. Large banks continue to use multiple website domains, rather than centralizing all of their sites under a single web address. Other companies have abandoned common sense entirely and send email closely resembling existing phishing scams, complete with hot links and urgent requests. Facebook was recently slammed in the tech community for sending clickable links to their users prompting them to verify information in their account. They’re not alone, however, as many other popular online institutions have been known to follow similar practices.

In July, we published findings that SPF/DKIM usage was declining among the Fortune-500 companies. Of the 500 wealthiest companies, less than half were implementing the simple, free anti-forgery countermeasures to protect users from spoofed email. You can read more about this at this link.

Businesses can’t prevent their customers from being scammed, but they can help to educate and condition them to recognize legitimate correspondence. The first step in doing this is to encourage sound practices when visiting your website. By helping your customers avoid becoming victims, you’re helping to avoid headaches that will ultimately become yours, and ensure that your customers remain satisfied ones, likely to return.

Following the recent release of this year’s McAfee Virtual Criminology Report, I had the opportunity to talk with diverse European journalists. They asked me for some concrete examples of the malicious Internet “offers” that the economic crisis has produced.

Fake working-at-home opportunities
The most visible offers are not new; they are only more numerous. They involve fake recruitment sites proposing working at home, which promises to be well paid and less time consuming than an office job. In fact, these are offers for mule jobs, like the one I described last year.

No doubt these offers attract all types; but when it becomes hard to find a job, the offer can also appeal to honest people.

Fake banking services
Less well known and increasing, fake bank sites flourish over the ‘Net. These are not mirror sites used in phishing attacks; these sites are created solely to attract people searching for a financial institution that can help. When an authentic bank denies a loan, for example, what could be more natural than to search for a more welcoming business.

The next screen captures offer examples of two live websites among the 20 or so I discovered last week.

�

Fake investment firms
As we watch our investments decline in value, many of us are on the lookout for a high return. Would you welcome an 850 percent profit guaranteed within 24 hours?
 

These investments are beneficial–at least for the crooks who promote them. With scams like these, it’s not necessary to catch people by the hundreds to make a nice sum of money. But if you invest here, you’ll never again see your tied-up capital.

Fake legal services
Cybercriminals know the economic downturn can lead to more people going to court after a dispute with a banker or employer. Watch out for dubious legal offers.
 

Here, too, the “service” will ask you for a cash advance before starting the job, one which will never be honored.

In searching for scam sites I have found many other ripoffs, but I hope you are already convinced: Taking advantage of people who are already victims of financial problems is truly scandalous. Yet this is a reminder, as if proof were still necessary, that today’s crooks have no misgivings about abusing the most vulnerable among us.

Today McAfee released its Virtual Criminology Report, our annual study of global cybercrime. We found that cybercriminals are targeting their scams to play off of the economic recession, and governments need to be doing more collaboration to face the problem.

The economic downturn affected cybercrime scams almost immediately. As soon as banks started struggling and mergers and acquisitions became commonplace, we started seeing an immediate increase in banking scams asking users to ‘update their account information’ before the bank changed hands. With almost all of today’s malware being financially motivated, even cybercriminals are looking for more business in tough economic times and are really stepping up their game.

This represents an evolution in the trend of cybercriminals getting smarter and faster about what they do. When news of a specific banks going under hits, scams and malware utilizing that messaging will emerge the very next day. The same happened with threats throughout this year’s presidential race as well as post-election; when President-Elect Barack Obama messaged malware emerged as early as November 5.

The environment of fear and anxiety in consumers that is being caused by the downturn also provides opportunity for cybercriminals to lure consumers into what they think are ‘internet sales marketer’ positions, where they are actually unknowingly assisting in criminal activity as money launderers. We have been seeing an increase in the number of these job postings and recruitment emails promising job seekers will ‘get rich quick.’ The scams are also strategically worded to place high on Google job searches, and are of course designed to look like legitimate job postings.

It is more important than ever that computer users educate themselves in safe searching and safe computing habits. Technology alone cannot solve the problem. Education alone cannot solve the problem. Both combined, however, can enable us all to use the Internet the way we want.

Download your copy of the report here.

Educate. Advocate. Protect.

Today marks another day of momentous change for McAfee’s research teams.

I just spent two days with my new colleagues from Secure Computing and some of my team members from McAfee Avert Labs. It was two grueling days of discussion and education as we both came up to speed on our research methodologies and technologies. Let me say that I am truly excited to be working with Dmitri Alperovitch, Sven Krasser, and Paula Greve, who head up the research group there. These are sharp and capable research leaders who have done amazing things. TrustedSource is a great technology and has so many applications that McAfee can leverage. Once our new Artemis technology begins to leverage TrustedSource capabilities McAfee will become the undisputed leader in security intelligence in the Internet “cloud.” Together we will see millions of spam messages, evaluate thousands of web sites, and see thousands of new pieces of malware–all in the span of 24 hours. We now have the ability to see and react to the threat landscape better than ever before. This is something that every McAfee product, technology, appliance, and SAAS (software as a service) solution will come to leverage, differentiating themselves from the competition even more.

At first we thought we would have overlapping technologies, but this is definitely not the case. In combating spam, web, and malware we have approached these threats from very different directions; thus we find our technologies very complementary. In the case of anti-spam protection, for example, we have two technologies that provide better than 99% detection using very different methodologies and approaches. Once combined, we will have the most robust solution on the market. The same holds true for the SmartFilter and SiteAdvisor technologies, as well as our malware solutions.

Today we have very good security intelligence. Tomorrow, with a bit of nurturing, we will have great security intelligence.

We welcome Secure Computing to the McAfee research family.

Jeff Green
Senior Vice President
McAfee Avert labs

You may have read in the press recently about landfill ISP McColo being de-peered. Spam is just part of this story, though probably the most visual and media friendly, please don’t see this ongoing situation as mostly spam related. Spam is simply the most visible tentacle of this octopus.

Our esteemed blogmaster Ed has been moaning about getting something on the blog about it & I wanted to dig out something meaningful for our readers so I contacted a close partner of ours and got some real mailserver stats.

Quite the haircut I’m sure you’ll agree.

You can read my previous blog about bots calling home to mother-ships (often via proxies) if you’re interested as to why this had such a sudden and dramatic effect.

Enjoy the lower load averages while they last though

This is no reason to rest however, we’re still as busy as ever in the labs and we’re watching as intently as ever. The child porn sites are already on a transatlantic move for instance and we’ll be calling our colleagues at the IWF today for sure.

Look what we ran across in our spam traps recently:

$50 for a survey! It’s our unlucky day…

[Click for full size]

As you can see from the partially obscured email address it is clearly NOT from JP Morgan Chase!! I hope this variation on the theme is suspicious enough to set off most peoples “too-good-to-be-true” radar. We can expect this type of attack to get much more convincing real soon no doubt.

So, election day is over and the United States has a new president-elect. For malware writers, however, the election is not over yet! Here at Avert Labs we are still seeing seasonal election malwares. An interesting one just arrived: It is called BarackObama.exe of all things. What’s more, it has a American flag icon! How patriotic is that?

It turns out this BarackObama.exe is actually the familiar PWS-Banker Trojan, which steals passwords and other user data about bank accounts and sends the information to the malware writer. Another interesting point is that the bank target is not an American bank, but a bank in Peru.

So, it doesn’t matter if you are a Democrat or Republican, the American election remains a nonpartisan opportunity for malware writers to get into your computer–using Barack Obama, John McCain, or even Ralph Nader.

I never thought I’d see the day!

ICANN found it’s dentures down the back of the sofa and taken a bite out of the criminals domain registration empire. ESTDomains will no longer be a registrar as of Nov 12th. [pdf]

So I’ve got a question… Who’s got the balls to take on ESTDomains problems “customers” ?

“ICANN Seeks Expressions of Interest from Registrars to Receive Bulk Transfer of Names from De-Accredited Registrar EstDomains”

I recently presented at APWG to encourage the anti-phishing community that registrars and registries can actually act rather than pleading innocence or the classic “our hands are tied” type excuses. In the case of fast-flux they are probably the only ones that can help in fact. I encouraged participants to point out that registrars and registries are guilty of acting illegally in many jurisdictions by facilitating illegal or infectious sites.

The general stance was that if Directi can clean them out then so can anyone else.

I pointed out that between 2 registrars (EST and Klik/Vivids) about $1.5M of revenue had taken place with Directi (who gives a healthy proportion of it to Verisign Etc…). I concluded with a slide to motivate participants to “Hug a Registrar” and I implore our readers to help out too. Anyone scoring over 30% on this uribl page is a prime candidate for advocates in the community to reach out and “help”.

So here is my top 5 for today:

#1 Moniker - Infested with spammers and pirated software sites. (MSOffice isn’t €79.95 delivered in a zip file)
#2 XIN NET - This is where the Pill spammers moved to and have given the .cn TLD a bad name.
#3 35 Tech & OnlineNic - Same as above but with more variety in pill sites and some casinos thrown in too.
#4 Planet Online - (Surprised to see them so high) Home of the unique URL “snowshoe” spammers ? almost legit ? The real world doesn’t care for their bulk and whois protected domains (via directi’s Logicboxes), or fake contacts.
#5 Dynamic Dolphin - Owned by Scott Ricter’s Media Breakaway, formerly bankrupted OptinRealBig . MS won cases against him in New York in 2005. This accreditation is probably against ICANN’s policy. These days they generally annoy via social networks.
#Bonus - *.directNIC [Mikko's open letter]

This is almost 2 years too late and took far too much media attention to shake their tree. The worst of the criminals left EST for other registrars after the “defecation meets the rotary oscillator” in August, but never the less, that (so I’m told) this is quick for ICANN

Hip Hip…

Issue 5 of the publication formerly known as Sage has been released. This issue we take aim and tackle the rather murky subject of social engineering. We have nine excellent articles for you from some of our finest researchers as well as two academic experts. Some of the topics covered include:

The Origins of Social Engineering
Social Engineering 2.0 - What’s Next?
Vulnerabilities in the Equities Markets
The Future of Social Networking Sites
Typosquatting - Unintended Adventures in Browsing

Many aspects of social engineering are dissected and investigated as well, some not found anywhere else! Definitely worth the download and read.

Available here.

People don’t seem to seriously care about Wi-Fi security yet. Inspite of oft-repeated warnings, ignorant folks with unlimited bandwidth plans believe that they are doing a social service by allowing neighbors to leach their Wi-Fi freely. What they fail to understand is that by doing so, they can become an unwitting accessory to cyber crime.

Instead of scouring for anonymous proxies to stay faceless on the internet, cyber criminals are increasingly targeting unsecured Wi-FI networks to get the job done. A combination of war driving tools such as NetStumbler along with a listing of default router usernames and passwords is all it takes to freely connect to unsecured Wi-FI networks. Especially since most Wi-Fi routers use default security settings that come pre-installed by the vendor rather than it having being configured by the end user.

SOHO routers log every connection and DHCP lease but these logs are flushed once the router is rebooted. If an attacker has access to the administrative console of the router (thanks to the default password), once their nefarious actives have been carried out, a simple restart of the router will erase all tracks.

The extent to which an unsecured Wi-Fi connection can be abused is purely left to imagination of the attacker. Putting on my Dr.Evil hat, here are couple of wicked acts a Wi-Fi hacker could commit and get away undetected using an unsecured network.

• Download child pornography
• Download copyrighted movies and music via P2P
• Download Warez and abuse your bandwidth
• Send bomb hoaxes, terror or threatening emails.
• Send spam (sexual aids, pharmacy or money laundering scams)

Any of the above acts could lead to law enforcement authorities knocking on your door. This is not mere speculation and many unsuspecting people have fallen victim. To quote a high profile example, in the recent serial bomb blasts in India, terror emails that took responsibility for the blasts were sent from unsecured Wi-Fi connections. And it was the unfortunate owners of the unsecured Wi-Fi connection that were subjected to police questioning and house arrest.

In addition to using an unsecured Wi-Fi network for malicious purposes, an attacker can also use it to steal personal information for identity theft. For example:

• Infiltrate and break into internal machines
• Modify DNS settings on the router to point to a rouge server.
• Sniff Wi-Fi traffic for usernames and passwords

The above discussed scenarios are neither speculation nor an exhaustive listing of different ways for abusing unsecured Wi-Fi networks. These scenarios are being enacted by criminals everyday around the world.

Now why would want to be an unwitting host to criminal activities emanating from your IP address or make yourself vulnerable to identity theft? Be a responsible Netizen and please secure your Wi-Fi connection now!

Recent phishing attempts have been targeting some popular social networking sites and jobs websites, such as facebook.com and monster.com. Due to the amount of personal and sensitive information which is saved there, they are very valuable to phishers. This data could be used to further target or spear phish individual victims by name and even work interests.

We have seen phishing attacks which targeted careerbuilder.com in the past. The latest target is another big recruitment site - monster.com. Just like typical financial phishing emails, the Monster phishing emails have subjects including imperatives like “Monster customer service: important notice” or “Monster customer service: please confirm your data!”

But please do not be fooled! These are not from Monster at all!!

The phishing domain would appear to be hosted on a new UK domain with dns leading to a bot in Turkey. We can see from this phishing site, the phisher is mainly targeting recruiters for their logins and passwords. This would enable them to access hundreds or even thousands of job seekers’ CVs which often contain a gold mine of sensitive data. Other elements of the recruiters account could be useful as well.

The level of personal data on a CV is pretty high, and in the wrong hands outright dangerous. Be vigilant against unsolicited emails!

On July 1 we released the results of our S.P.A.M (Spammed Persistently All Month) Experiment, in which 50 people from around the world surfed the Web unprotected for 30 days. By taking part in the experiment, participants were given permission to go where most Internet users would not dare, in order to discover how much spam they would attract and what the effects would be. Go everywhere we have told you not to go. Click everything we told you not to click. We then studied the daily blogs and analyzed the spam itself and confirmed that spammers are as active as ever; they are increasingly using psychological tricks to lure Internet users to part with their contact details, identity information and cash. The experiment (the first of its kind) clearly shows that spam continues to evolve, utilizing more local languages and cultural nuances, as well as becoming much more targeted in a bid to avoid detection.

Our brave and bold participants were assembled from 10 countries and by the end of the 30 days they received more than 104,000 spam emails–that’s an average of 2,096 messages each, the equivalent of approximately 70 messages a day.

Many of the spam messages received were phishing emails: emails that pose as a trustworthy source to criminally acquire sensitive information such as usernames, passwords, and bank account details. Other emails carried viruses, and many allowed malware to be silently installed on the computers by persuading participants to surf unsafe web sites. A number of participants noted a decrease in their computer’s processing speed, as well as an increased number of pop-ups.

The Global ‘Spam League’:

1. United States 23233
2. Brazil 15856
3. Italy 15610
4. Mexico 12229
5. United Kingdom 11965
6. Australia 9214
7. The Netherlands 6378
8. Spain 5419
9. France 2597
10. Germany 2331

To read more about the participants experiences, go here
and make sure you download the ‘Global Spam Diaries’ as well.

We often read that scam and phishing attacks are more and more complex. I agree… if we deliberately omit the various phishing kits available from the internet, which are usually not very sophisticated! This weekend I got yet another phishing email scam on my personal email address. This one targets Paypal users and specifically Paypal France since it is written in French. I thought that could be a perfect example to dissect in order to highlight the suspicious parts of its content.

So here is the email body:

First thing to notice: the use of “Cher client Paypal”, which means about the same as “Dear Paypal member” and is a formal way, but also a very non-specific way, to start a mail. Paypal always uses our real name in the beginning of its mails, so any email that appears to be sent from Paypal that starts with such common sentence is suspicious. Moreover we use accents in French, and although it is written in French, there is no accent at all. Worse, there are many grammatical errors. Paypal is a big company, and I find it highly unlikely that they don’t have people who can write French properly! So, just the reading of the email body should be sufficient to encourage us to drop it in the trash bin.

But let’s see the subtler parts now.

The email asks us to click on the button “Activer” in order to re-activate our Paypal account (which has never been deactivated obviously). But as you can see in the following screenshot, the button does not point to the Paypal.fr website but it is linked to  the domain falomensdepeyy.com, although “www.paypal.fr” appears in the URL in an attempt to confuse people. A Very typical tactic!

And last, but not least, let’s look at the email header:

The content of the entry called “X-WEBC-Mail-From-Script” is the proof that this email was sent with a script located at http://www.alkasterdesese.com/mailer1.php, which has nothing to do with Paypal’s website! Although the “From” field contains the correct sender “service@paypal.fr”, we are now sure that this email did not come from Paypal.

At the time of writing, both sites located at alkasterdesese.com and falomensdepeyy.com are shut down.

Additionally, Michael Barrett from PayPal has posted an excellent blog on how to spot scams.

There has been some debate in anti-phishing circles over what a hosting service provider should do when taking down a phishing site. It boils down to one of three basic actions the victims witness.

• Redirect the hits to the brands legitimate site - This in my opinion is a dangerous thing to do on many levels and any brand requesting this action will feature on a follow-up shortly.
• Remove the site and throw the 404 error - Just stopping the site working and having the browser present a standard error is the standard check-box reaction & minimal effort.
• Use the hit as an opportunity for education - This is by far my favored option (even though I’ll play devils advocate when it’s discussed). Once a victim has fallen for a phish email, help them to help themselves in the future with some easy to understand education.

Education has to be appropriate, I’m not suggesting at “click time” is a good time for presenting the user at the Anti Phishing Phil game for instance. (Phil is great though if you’ve never seen it). “In your face” education at click-time is a topic close to the heart of the APWG, they will present their advice on the topic very soon.

So back to the raison d’être of this blog, a 10 gallon hat tip to AT&T for this great vishing takedown. [Listen to the mp3]*. They’ve raised the bar with this one and deserve some hearty kudos. I can’t think of a better way of dealing with a vishing number. The continuous unavailable tone has no place here since it’s easily confused with mis-dialing ^{(Homer mp3)}. They have replaced the disconnected service with a great education statement and sound advice too if the caller thinks that they were a victim.

^{* The quality is much better on the phone, I used our conference bridge to record the example.}

A few days ago I was browsing a forum while I read a message from someone saying that he received a strange link from one of his MSN contact list, which was formed like the following:

http://[MSN_login].flatl1n[removed].info

This domain hosts a webpage asking for MSN logins and passwords and pointing to another webpage asking for ICQ login credentials:

But let’s examine this page in details, especially the “Terms of Use” for example:

“Terms of Use / Privacy Policy:

By filling out this form, you authorize TST Management, Inc to spread the word about this 100% real and upcomming Messenger Community Site.
You will receive your share of the credit in helping us spread the word. This is a harmless Community site which is offering users a platform to meet each other for free.

We do not share your private information with any third parties.
By using our service/website you hereby fully authorize TST Management, Inc to send messages of a commercial nature via Instant Messages and E-Mails on behalf of third parties via the information you provide us. This is not a “phishing” site that attempts to “trick” you into revealing personal information. Everything we do with your information is disclosed here. If you are under eighteen (18), you MUST obtain permission from a parent or guardian before using our website/service.

This page is not affiliated with or operated by Microsoft(tm) or MSN Network(tm).

ANY LIABILITY, INCLUDING WITHOUT LIMITATION ANY LIABILITY FOR DAMAGES CAUSED OR ALLEGEDLY CAUSED BY ANY FAILURE OF PERFORMANCE, ERROR, OMISSION, INTERRUPTION, DEFECT, DELAY IN OPERATION OR TRANSMISSION, COMMUNICATIONS LINE FAILURE, SHALL BE STRICTLY LIMITED TO THE AMOUNT PAID BY OR ON BEHALF OF THE SUBSCRIBER TO THIS SERVICE.

We may temporarily access your MSN account to do a combination
of the following:
1. Send Instant Messages to your friends promoting this site.
2. Introduce new entertaining sites to your friends via Instant Messages.”

Oh well, that reminds me how social engineering is powerful…
The victim received this URL from who is supposed to be one of his MSN contact and it is unlikely he will spend a few minutes reading those lines. So I agree, everything that the attackers do is published inside the Privacy Policy, but I disagree when they say that they don’t “trick” people to get their login credentials: they use social engineering attacks to get users’ passwords, this is dishonest and this is phishing scam!!

Now, here is the funny part of the “Terms of Use”:

“This is a free service. You will not be asked to pay at any time.
You will not be subscribed to anything asking for payment.
This service is made possible by many hours of human effort.

TST Management, Inc reserves the right to change the terms of use / privacy policy at any time without notice. To view the latest version of this privacy policy, simply bookmark this page for future reference.”

So ironic…
And the last part, the one that aroused my curiosity:

“You understand that this agreement shall prevail if there is any conflict between this agreement and the terms of use you accepted when you signed up with MSN. You also understand that by temporarily accessing your msn account, TST Management, Inc is NOT agreeing to MSN’s terms of use and therefore not bound by them.

This agreement shall be construed and governed by the law of the republic of Panama. You expressly consent to the exclusive venue and personal jurisdiction of the courts located in the Republic of panama for any actions arising from or relating to this agreement.

If any provision of this agreement is held to be invalid, illegal or unenforceable for any reason, such invalidity, illegality or unenforceability shall not effect any other provisions of this agreement, and this agreement shall be construed as if such invalid, illegal or unenforceable provision had not been contained herein.

Copyright 2008 TST Management, Inc”

I was wondering if this website was effectively hosted in republic of Panama, but a whois of the domain informed me that the IP address is located in Hong Kong actually:

The Reverse IP field says there are 32 other sites hosted on this server (210.56.53.224).
And we can see also that “TST Management, Inc” (who is the registrant of the domain), owns 412 other domains.
So I decided to do a Google search and I wasn’t surprise to notice that they are apparently used to phishing scams!
“TST Management, Inc” seems to be another name for the “Blue China Group Ltd”, the one that was sued by MySpace last year for mass spamming.

I managed to create a screenshot of the old “Mass Comment Poster” website that belonged to them:

We can see that the Terms of use were very cynical too!!

They also host what they introduce as a MySpace tracker (called “Stalker Tracker”) which is in fact another phishing scam website:

Besides the website displays another “typical” Privacy Policy mentioning:

We may temporarily access your MySpace account to do a combination
of the following:
1. Post bulletins to your friends promoting stalkertrack.com.
2. Post comments to your friends promoting stalkertrack.com.
3. Post a blog about our upcoming tracker for your friends to read.
4. Customize your blog header html with a clickable stalkertrack.com ad image.
5. Send a batch of blog invites on your behalf.
6. Send IM invites with a personalized stalkertrack.com message and/or image advertisement attached - to your friends and potential friends and other members.
7. Introduce new entertaining sites to your friends via comments, bulletins, and messages

And guess how can they do that? Once again, just by using the login credentials entered in the form…

Last but not least, once the login credentials are submitted via the phishing scam MSN/ICQ web pages, a PHP script is called to increment an online counter, and here are the statistics available at the moment:

This counter seems to supervise the activity on all their phishing websites, not only on a couple of them.

We can see that 92 people were reaching one of their phishing scam websites when I was looking at the statistics, they were 35334 unique visitors yesterday, 284746 visitors since the beginning of June, 3616516 visitors last month, and 7031582 visitors since this counter has been created (since February/March 2008 according to the second screenshot).

Be vigilant of such IM messages and websites marked as “copyright” to “Blue China Group, Ltd” or “TST Management, Inc“. Whatever the website purports to be they are certainly requesting your login credentials in an unclear way!!

In the United Kingdom the term “Postcode Lottery” refers to situations where public services are available to certain postal districts where these districts are carved up by government authorities according to the first 4 characters of the post code (Our equivalent of the American Zip code*). In densely populated areas it is entirely possible for one end of a street to be lucky in a postcode lottery and the other end to be unlucky.

So, postcode Lotteries in the UK are generally bad news. They always get press attention. For instance the national health service (NHS) local trusts will provide a superior premium drug in one area but not in another creating what is known as a Postcode lottery. Prescription charges is another good example.

The remote money fraudsters are taking a very different view!
According to the bottom-feeders a Postcode Lottery is a competition you can win!

Sample below from my yahoo account. Notice the rotten spelling and the possible macro replacement issues, incidentally we call these PBCAK issues internally (Problem Between Chair And Keyboard)

Subject: National Postcode Lottery

National Postcode Lottery

Attention:-

Winner We bring to your notice the winning letter from Nationale Postcode Lottery {United Kingdom Promotion Company} held on the 8th of May, 2008 through Internet ballot System among 10,000 Microsoft users.Subsequently, your email address attached to ticket number 24.2.6.37.15.45 won contract sum of 800,000.00 Pounds ,winning number 100364,ref number XX/0999/171ESP and BATCH: 1211504/MIU.

We request you to pay serious attention to this notification by contacting the claims department with claim information and procedures of claim.

Mr.Jose Bolton
Tel: +44-871-nnn-0525
Fax: +44-700-nnn-0445
Email:divineagent@sify.com

Congratulations once again from our members of staff and thank you for being part of our promotional program.

Yours Sincerely,
Mrs. Stefian Smith
National Postcode Lottery

—————————————————————–
Find the home of your dreams with eircom net property
Sign up for email alerts now [advert removed]

Hardly a political issue, I’m sure you’ll agree. 419 plain and simple. But we’ve seen that email address a lot recently. Time for a good old fashioned LART’ing!

^{*The full 7 character UK postal code is very accurate, it refers to the handful of mail a postie can deliver, approximately 10 houses or thereabouts.}

A highly targeted spear phishing campaign is currently doing the rounds. Executives–including some of our own at McAfee–have received emails purportedly from the U.S. Tax Court. The emails are designed to look like a petition from the Tax Court and are fairly believable, with domains similar to the legitimate ustaxcourt.gov in the “from” address and links. There’s also a legitimate telephone number for the organisation. The executive’s name is listed as the respondent in a case versus the Commissioner of Internal Revenue.

The scammers do their homework when it comes to spear phishing. Instead of pumping out millions of emails to anybody and everybody, spear phishers send out their scams only to people they know will be susceptible to the scam. In this case a top executive–rather than the average employee–is much more likely to be involved in a court case of this nature.

Clicking on the link may result in malicious code such as keyloggers being installed on your system.

The U.S. Tax Court currently has the following notice on its web site:

“The United States Tax Court has received many telephone calls regarding an e-mail which purports to originate from the Court being sent by a member of the Tax Court’s practitioner bar. This message is an example of “Spear Phishing,” which is an e-mail spoofing attempt that targets a specific organization. The Tax Court is not disseminating any e-mail notice to anyone who currently has a case before this Court.”

Have you had any odd meetings in your Outlook or Google calendars lately? I’ve been monitoring an interesting spamming technique over the past few weeks where they are sending automatically accepted meeting requests (if you allow that) to your calendar.

The spam is originating from Gmail accounts but the Google and Outlook calendar functions are compatible so the meeting request goes straight into your calendar and you probably won’t notice it until you get a reminder at the spammers chosen time.

All the samples I’ve seen so far are Nigerian Scams which is interesting in itself as the Nigerian scammers have traditionally been less advanced in terms of coming up with new tricks.

This tactic adds a further nuisance factor for the recipients of this spam as it sets your time as “Busy”. Sure, you can turn off automatic acceptance of meeting requests via the Calendar options in Outlook and in Google Calendar but that feature is provided for a reason so why should the spammers stop us using it? This spam campaign has been low volume and targeted as is the nature of the Nigerian Scam email but there’s been alot of talk in the last few months about Gmails captcha being broken so it wouldn’t suprise me if the botnet spammers pick it up pretty soon!

A recent report by the OECD (Organisation for Economic Co-operation and Development) indicated that counterfeit and pirated goods in 2005 could have had a value of up to 200 billion U.S. dollars.

One path to fake goods is via spam, which frequently offers counterfeit medicines and replica watches. A recent post from the French CERT-LEXSI blog caught my attention regarding fake luxury mobile phones selling for absolutely unbeatable prices.

These phones are normally manufactured by Vertu, a British subsidiary of Nokia, and are sold in luxury shops in Monte Carlo, Cannes, or Beverly Hills. On their official top-quality site (www.vertu.com), prices are not mentioned, but by visiting some authorised retailer Web sites I found exorbitant figures. Some mobiles, bedecked in gold and diamonds, exceed $90,000. Really too expensive for me!

Using Google, it’s really easy to find fake sites offering these counterfeit marvels. In fact it is easier to find the fake sites than the authorized ones!

And the prices–assuming you need one of these–are attractive: less than $1,000 for a copy of an original that sells for $97,300.

Regular spam campaigns promote such Vertu “replica” sites. Be vigilant, however, because appearances can be deceiving. Sites are numerous and their common feature is their high-quality, professional look–with black backgrounds that imitate the official site.

These sites are hosted at various providers in various countries (USA, Germany, and Hong Kong). Some of them seem clean; others are known for bulletproof hosting services and their relationship with the Russian Business Network, an alleged cybercrime organization. The registrars are also diverse (Estonia, Russia, and Korea) but more questionable. It is surprising that these do not require any name verification before accepting registrations. But once you know that a lot of spam and malware-related Web sites come from them, their permissiveness is easier to understand. Registrant addresses and e-mails give us an inkling regarding the nationality of their owners: China and Russia.

For the potential buyer, the key issue concerns the risk. The Swiss Watch Industry clearly points out that the buyer is the first victim, because purchasing counterfeits is:

• Agreeing that piracy is OK; the counterfeiter seeks to appropriate somebody else’s hard work and investment.
• Supporting and financing organized crime; links between counterfeiting activities and criminal networks have been established in many cases.
• Accepting underground and child labor.
• Endangering your own health and safety; the risk is real with medicines, aircraft and auto spare parts, medical supplies, and cosmetics.
• Reducing employment and stifling growth; this form of criminality contributes to the reduction of employment, which is estimated to cost more than 200,000 jobs worldwide per year.
• Being liable to criminal sanctions; the buyer may face criminal and financial sanctions. The mere possession of counterfeits is illegal in many countries. Furthermore, penalties could be claimed by legitimate intellectual property rights’ owners. Customs also can seize and destroy illegal items and assess fines.

And if these considerations don’t stop you, remember you run the risk of not receiving the goods you pay for; instead you might have your banking details stolen and reused in future malevolent activities. None of the sites I visited yesterday offered a secure Internet payment system; one of them housed a hidden Iframe linked to a known password-stealing Trojan.

Commonly in conversation with family or friends I am asked questions that begin with statements such as “Well, I had this computer virus…” Further into these conversations after asking some additional questions of my own, I become more convinced that the person believes they had a virus. From the descriptions provided I am often inclined to suspect classes of malware and potentially unwanted programs that are commonly referred to as FakeAlerts and rogue security software are responsible.

I have come across many of these types of programs disguised as anti-virus or anti-spyware products that generate false warnings of malware that is supposedly present on the system:

Fake alerts are typically trojans that generate false warnings of spyware on the computer. These alerts are most often displayed as a balloon pop-up from the systray. The fake alerts will typically encourage the user to download or install a rogue security software product by means of “detecting” bogus infections on the system and frighten the user into buying the rogue software in order to clean the fictitious malware that that was discovered.

I am continually surprised at the prevalence of these types of applications and how many computer users install and use these so I thought it might be useful to post some tips that may help with identifying traits that are commonly associated with these types of scams.

Use Responsible browsing practices:
Trojans typically spread manually, often under the premise that they are beneficial or wanted. To do this often times similar techniques such as those used in product marketing are involved. Responsible browsing practices can include identifying when propaganda is used to persuade one into believing something, doing something, or buying something. This is not solely indicative of something malicious in nature, however being able to tell when these methods are utilized can sometimes help one to know when to ask more questions about the motivation or intentions for the use of the tactic.

Do some quick research:
If something does flag ones attention it may be worth the effort to do some quick investigation. Use a well known search engine and enter search terms such as the name of the product you are being asked to purchase, the title of the dialog being displayed, the name of the malware that is being detected, etc. Try to avoid pages that are sponsored by the target of your investigation. Look for third party opinions or reviews. This may help provide some additional counterpoints that may help with an objective analysis of the software in question.

Are there any secondary indications of an infection?
Look for the presence of the files being identified by the software as malicious. Often these files will not exist on the system at all. Sometimes however these types of programs will write the fake files to the system so that it can later detect them as malicious.

Check the time and date stamps on the files. Are they similar to that of the time the program was installed or ran a scan?

Submit the file to an online scanning service such as VirusTotal and see if established anti-virus programs detect them.

These are just a few simple examples from the quick and easy do-it-yourself malware research guide!!

Meeting the German participants of the McAfee SPAM Experiment for dinner yesterday turned out to be very interesting and provided some unexpected results. After 14 days living on a Spam-mail diet they are still in good shape. Some are so into it that they even installed SiteAdvisor to find out, in advance, if a site is likely to send you spam when you leave your email address there…

Getting in trouble with the girl-friend for browsing dating web sites while leaving his mail-address for possible use by spammers was one of the less expected (and desired) results.

And then this: Collecting spam through surfing porn sites really does not work! All who tried told me they didn’t receive much spam when leaving their email on such sites. That really was a surprise for me. I would have expected a lot of spam, as there seems to be a fairly obvious link between porn and certain drugs and enhancement pills…

Constantly living in a world full of (empty) promises seems to have some effect as well: “It’s nice sitting here with you, but soon I’ll be hanging out with Tom Cruise and Jessica Alba and I will even get money for it” - it’s amazing what some shady people promise you, just to get your email address and other personal data.

There was some amazement when two participants figured out they had received nearly identical advance-fee scams: One in English, the other one in the Polish language.

Well, I’m sure all participants will have a lot of interesting experiences and stories to share at the end of the experiment and I sincerely hope they manage to stop clicking on all those ‘you are the 100,000,000,000 visitor of this webpage’-banners

Oh, and a last note: If there is one movie you should watch this year, make sure it’s the Futurama: Bender’s Big Score where Spam and Phishing play key elements in the story!!

In a natural evolution of phishing, Internet scamsters are switching to “Vishing” — short for “voice phishing” in order to steal user information. Vishing combines the use of Voice over IP (VoIP) phones along with clever social engineering to gain access to personal and financial details of the victim by exploiting the perceived trust in traditional telephone services.

With increased user education about Internet scams, people are more aware of the fact that an e-mail containing a URL could be malicious in nature. Instead of using a misdirected Web link to some phony banking sites to steal user information, fraudsters are luring victims to something more credible like calling a toll free number and having an automated recording asking for account information.

Potential victims would get the usual convincing e-mail phish conjured to look like a genuine complaint. But instead of being directed to a website to resolve the pending issue, they are given a phone number to call. Those who call the “customer service” number are greeted with a pirated recording of an automated voice system for the targeted financial institution and are requested to enter their card number in order to authenticate. They are then led through a series of voice-prompted menus that ask for PIN codes, card expiration date, date of birth and other critical information. Once the victim enters these details, the visher has enough information to use it for identity theft and make fraudulent use of the information.

With the US tax deadline nearing, McAfee Avert Labs has observed a surge in IRS refund phishing attempts. In addition to the usual e-mail phish we also observed IRS vishing campaigns targeting VISA or MasterCard debit cards.

Here’s another example of a vish campaign targeting a well known bank.

Other variants of vishing use CallerID to spoof an incoming call to appear as an 1-800 number or SMS messages purporting to be from a bank. A text or pre-recorded voice message is then played out, persuading the victim into believing that their account has been frozen due to suspicious activity. As the incoming call would display a 1-800 number from a recognized institution, it creates a false sense of security about the authenticity of the message.

Vishing is all set to flourish with advancements in Voice over Internet Protocol (VoIP) technology that enables cheap and anonymous Internet calling. Given the ease with which CallerID boxes can be tricked into displaying erroneous information, it is becoming increasingly difficult to distinguish phishing attempts from genuine attempts to contact customers.

If you encounter a vishing attempt and have a question concerning your account or card, please contact the financial institution only using a telephone number obtained from your account statement, a telephone book or other verifiable, genuine correspondence.

Until recently most ATM skimmers had to go through the inconvenient process of extracting PIN numbers from a video of the PIN pad when it was entered. Problems with the camera being blocked or discovered would cause many PINs to be lost. The only improvement implemented was sometimes replacing the entire PIN pad in order to directly save every number entered. Replacing the pad solves the video problem but requires a level of physical access that is rarely possible without being detected.

Visa certifies many ATMs based on their requirements for PIN Entry Devices (PEDs). These requirements are supposed to define how to implement a PED so that no PIN is stolen from the ATM. As an example, one of these requirements is the use of 3DES to encrypt the PIN when sent to the ATM. In the definition of the requirements it states that the PIN must be encrypted even within the PED. Of course because the entry from the pad can not be directly encrypted there must be some interpretation as to how soon the encryption takes place.

Despite this certification process there are several terminals, such as the Ingenico i3300, that have been discovered to be vulnerable by a pair of researchers from Cambridge named Steven Murdoch and Saar Drimer. They discovered that in several models of ATM there were cables from the PIN pad that contained unencrypted PIN data. While the ATMs were designed to detect physical tampering the researchers found that it was not difficult to insert a paperclip that would avoid detection and tap the critical line from the PIN pad.

These ATM devices were allowed to be certified presumably because the unencrypted data is considered to be within the PED or because the data is only single key entries and not a complete PIN. However, these details do not make a significant difference to an attacker. The ATM PIN problem is similar to what would happen if a web user viewed an encrypted web site through an unencrypted web proxy. While the traffic appears encrypted to the server or central ATM computer there is still a large opening for viewing the unencrypted data on the user’s side.

Visa has claimed that this threat is not a real-world threat because it requires specialized knowledge of the ATM terminal. What attack of this type doesn’t require specialized knowledge? Attackers have to research in advance to make sure their second magnetic stripe reader and their camera are well positioned and hidden. Finding out where in the case to insert the paperclip to connect to the PIN wire is not a difficult additional item to research.

Awareness of identity theft and fraud is increasing in the general population. Criminals who make a living from large databases of ATM and credit card numbers are always looking for new ways to steal that information. This new vulnerability will allow fraudsters to gather data on even the most paranoid individuals.

Whilst the masses stay vigilant to “love” attacks [1][2][3][4] in the run-up to Valentine’s Day (tomorrow, don’t forget!), others, including McAfee Avert Labs, are wary of further hybrid spam and malware attacks. This morning we received thousands upon thousands of “Google Ad link” samples via our anti-malware and anti-spam automation systems.

A topical social-engineering trick highlights the race to the White House [5] for the Hillary Clintons and Barack Obamas of the world. It’s actually surprising we didn’t see more of this attack yesterday–the week’s anniversary of Super Tuesday [6].

The spam email (example below) contains a link (hidden by HTML [7]) that points to Google’s page-ad service passing another URL–a malicious one–which effectively redirects your browser to a site hosting a protectively detected Downloader.gen.a [8] sample. The site used in this attack is suspected to be linked to the notorious Russian Business Network (RBN) [9].

Other examples of this spam included some of the following subjects:

• Hillary Clinton Full Video !!!
• Interesting dvd with Beyonce + 4 asiatic lovers!
• Interesting dvd with Jennifer Lopez + 5 english boys!
• Interesting mp3 with Beyonce + 5 portuguese horse!
• Interesting photo with Mylene Farmer + 6 black stallions!
• Interesting video with Keira Knightley + 2 black dogs!
• Keen melody with Christina Aguilera + 4 english boys!
• Keen photo with Britney Spears + 4 asiatic stallions!
• Kick-up mp3 with Christina Aguilera + 5 irish mans!
• New melody with Kylie Minogue + 3 spain dogs!
• New presentation with Mylene Farmer + 6 portuguese lesbians!
• Part of presentation with Jessica Parker + 6 black dogs!
• Shocking photo with Jessica Parker + 3 italian horse!
• Stunning presentation with Beyonce + 3 black stallions!

We urge you to be vigilant and keep your anti-spam and anti-malware protection up to date. Remember, if it sounds too good to be true, it normally is.

[1] : http://www.publicopiniononline.com/localnews/ci_8249998
[2] : http://blogs.knoxnews.com/knx/silence/archives/2008/02/valentines_day.shtml
[3] : http://www.nbc13.com/gulfcoastwest/vtm/news.apx.-content-articles-VTM-2008-02-13-0006.html
[4] : http://press-releases.techwhack.com/16498/microworld-technologies
[5] : http://www.independent.co.uk/news/in-the-news/race-for-whitehouse
[6] : http://en.wikipedia.org/wiki/Super_Tuesday
[7] : http://www.avertlabs.com/research/blog/index.php/2007/08/20/the-risks-of-html-formatted-e-mails
[8] : http://vil.nai.com/vil/content/v_142821.htm
[9] : http://www.securecomputing.net.au/news/69637,britney-paris-used-as-hook-in-new-spam-botnet.aspx

McAfee Avert Labs has received reports of a new phishing attack that purports to be from the U.S. Internal Revenue Service (IRS). This email attack is similar to IRS phish campaigns seen before and offers victims a $375.20 refund directly to their credit card for filling in an online form. A copy the spammed email is shown below:

IRS phishing scams faithfully appear every year during the US tax season. There have been several campaigns in the past and this one was first observed on Jan 28th in our spam traps.

The phish is hosted on a legitimate website based in the United States that deals with special effects for Halloween and movie props. The phish page is a rip-off of the original IRS website and the online form asks for the victim’s name, social security number and credit card details. In addition to these CVC/CVV2 and ATM pin number details are required. Makes you wonder how many people would still give such information in their eagerness to get a refund given it is the middle of the tax season.

Of late we are seeing the numbers of legitimate web sites compromised by attackers surpassing those purposefully hosted by an attacker. By abusing compromised legitimate web sites to host malicious code, a spammer can subvert real-time blacklists that are used to traditionally check for the validity of links advertised in emails.

When the website owner was informed of this compromise, his reply was “I’m not a techie, but I have to run this site and don’t know how to fix this problem. Any help would be wonderful.” This brutally honest reply left me speechless!

Ps: I’ve ensured a McAfee Avert Labs field service engineer would be getting in touch with him shortly as well as making sure the IRS has the spamming information.

Late last Friday, Avert Labs became aware of an interesting piece of malware. In this latest social engineering scenario an attacker sends a new “friend request” to MySpace users. When the user clicks on the picture or name of their new potential friend, an overlaid image of what looks like a legitimate Windows “Automatic Update” pop-up box is displayed. Clicking on or near this bogus dialog will result in a request for a file download that is visually disguised as a Microsoft update called “updateKB890830.exe” from a server named “winxpupdate.Microsoft[removed]“.

Instead of an update however, this download contains a malware cocktail containing additional downloaders, several trojans, as well as a remote admin tool. It is advised to be aware of dialogs that have abnormal properties. One such property may be that the dialog disappears when the web browser is minimized. If this is the case the dialog is probably an image rendered within the context of a web browser and is not a legitimate update. McAfee AV users were proactively protected against this threat.

Spammers have been abusing free hosting for a long time. Yahoos’ Geocities was pretty heavily targeted in its day and more recently Googles’ Googlepages and blogspot are the abused services of choice. The general idea being spammers can get 1-20+ thousand accounts a day with unique urls and point them at a handful of spammed domains that they had to pay for.^[1] It’s improbable that any external party can compile a complete list of the abused accounts, report them to the host and the host engage somebody cluefull 24/7 to take-down the sites in any reasonable time period to make the spammers campaign ineffective.^[2]

I know, I’ve tried!

Those of you that read this blog a year and a quarter ago will remember that the metric truckload of accounts are often provided as a paid service to spammers if they are not able to perform the required tasks in house.

- Spammers have also been abusing the free blog services for a long time. (and setting up their own fakes)

- Spammers have also been abusing the free tiny url services for a long time. (and setting up their own fakes)

There is a common theme here! Free services that allow or facilitate blind redirection. It’s all about getting emails through and links in front of victims and as a rule of thumb, the more popular the service you abuse the less likely it is to blocked by the blacklists. Surbl have an open letter to redirection services, if you want some more education on the subject from the blacklist prospective. ^[3]

It’s no surprise that the next popular service to be abused is the search engines. To be clear, I’m not talking about Spamdexing (manipulating text for high search index rankings) or SEO dirty tricks, but (ab)using a search provider as a redirector by using the more advanced search options combined with “Feeling lucky” features that take you to the top search result.

I’ll dissect this mornings sample for you noting one additional point:
- Spammers have also been abusing the free webmail services for a long time.

A quantity of Yahoo webmail spam kindly deposited its self in one of our many millions of spamtraps, DKIM signed, SPF passed Etc, Etc. Inside it was a link to a “feeling lucky” link c/o rival search giant Google.

Abused Search Host: http://www.google.com/
Search Function: search?q=
Search Feature Text in the URL: inurl:games-pro
Search Feature Text int he page: intext: won1 million megabet from casino online ^[4]
Search Invisible Redirect Feature: btnI=Lucky

If you put this lot back together you’ll get an invisible redirect (302) to casino-games-pro that’ll try and auto-install the CasOnline PUP. Charming.
I’d like to point out here that if you try to send a spammy link out via yahoo webmail they captcha test the sender. (but they also did that when the accounts were setup, right?) The trick here is the fact that there is nothing spammy about a search link. I have no doubt that /btnl=Lucky/ will be hitting the filters at Yahoos webmail HQ very shortly if it hasn’t already.

The “Feeling Lucky” spam technique is not particularly new, but this webmail twist does show the relentless diversity of spammers abuse of free services provided by the big players alongside their abuse of the smaller fish that Kevin blogged about the other day. As he pointed out, the spammers are using the phishers techniques, how long before we see “btnI=Lucky” in phish.

All of these methods are popular because it’s not really possible for RBLs’ or URIBLs’ to block them without collateral damage to innocent sites making it more likely that spammers links will get through to the inbox. Though when the abuse is more than background noise things do happen.^[5]

^{[1] Lets assume for ease they actually do pay, in reality it’s stolen card & credentials sample from some carder IRC channel.
[2] Testing a random Googlepages link spam from last month shows that everything is still working.
[3]For the record many shorter-link services took notice rapidly!
[4] Yes I linked ” won1 million megabet from casino online “ - so what? I really do hope this blog helps.
[5] Tale a look at SBL60999.}

Tis the season to be shopping, tra la la la la but don’t get had.

I’ve stumbled upon a scam where search engine product listings are being (ab)used for the classic (”#1 auction site”) +postage scam. Most auction sites have some jokers with good value items with ridiculous postage or compulsory insurance to even the score. Credit where it is due, the big boys are clamping down on unfair charges, but it’s still pretty common for listings to include excessive additional charges; £13 to post a memory stick locally (almost twice the price of the item itself), or £38 to post a Wii.

The scam works like this:

You search for a gadget on your favorite search engine’s products section and as normal you’ll see those highly relevant and usually high commission links on the first page. Like most people, I’m sure you’d have gone to the high street to pay hight-street prices, so the first click is to sort by price. Scrolling past the pages of adapters and cases (if you wanted a case or adapter you’d have searched for it after all) you’ll eventually find the holy grail, the page containing the lowest price actual product you searched for.

It is not uncommon to find many web-based storefronts for the same white label box-shipper, so new stores with juicy offers crop up every day. Since you’re an astute shopper, you’d investigate the first couple of links, knowing that your about to save about 20% or so.

When visiting the site indicated we see that the price is invitingly lower still than the one displayed by the search engine. Bargain!

^{[ Click for full image - This site is flagged by SiteAdvisor due to misleading offers ]}

…along with the somewhat unusual text “Subject to change”, anyway £4.20 is £4.20 so we decide to click to buy now.

^{[ Click for full image ]}

£300 is the total, right up there in the top right of the PayPal page. If your PayPal credentials were stored in your browser that login button would be your destination. If you happened to be logged in to PayPal the blanks in the form would have been all filled in too. If you were in a rush (and who isn’t at this time of year) I’m sure that would have been easily missed.

“Subject to change” hardly covers this one. Just to pour salt on the wound, the actual Post and Packing sting comes on the last page, and after you’ve logged in.

^{[ Click for full image ]}

£1200! Caveat Emptor people…”Let The Buyer Beware”
- Merry Christmas one and all.*