Search results matching tag 'Spam\Phishing'

Between a PoC and a Hard Place – Symantec Security Blog

cmosby — Thu, 18 Feb 2010 05:00:00 GMT

Between a PoC and a Hard Place

Irfan Asrar

February 11th, 2010

Tags: Endpoint Protection (AntiVirus), Mobile & Wireless, Security, Vulnerabilities & Exploits, Security Response

Several reports have been published detailing a Blackberry proof of concept (PoC) exploit called txsBBSpy that was recently presented at a security conference. Although it may not have been the aim of the original presenter, some reports have framed the PoC as being able to exploit so-called vulnerabilities that the writers believe to be present in the Blackberry platform. The “vulnerabilities” involve secretly forwarding incoming emails, locating devices by way of their GPS capabilities, eavesdropping on conversations by surreptitiously turning on microphones, and other such nefarious behavior.

Although the vectors used for the PoC itself weren’t exactly ground-breaking—we described the concept behind attacks in a whitepaper back in 2007—it does highlight the fact that competition between mobile platform vendors to provide easy-to-use APIs (and thus attract developers) has made it possible to write malicious applications for mobile devices in less time than ever before.

So, does this mean the existence of easy-to-use APIs makes mobile devices unsafe? The answer is: not really. While over the years it has become easier to work with mobile development platforms, and the amount of time it takes to bring a new and fully featured software product to market has decreased, this has also meant that platform vendors have simultaneously had to introduce steps to ensure that new API features are not being used for malicious purposes.

Vendors take different approaches to ensuring the security and integrity of applications written for mobile platforms, such as restricting application security policies, providing a single point of distribution, mandating application signing, and restricting applications that may be installed to those that have been approved (with the possibility of future revocation if an application is found to be questionable). However, these steps can never be 100% reliable, and as such, situations may arise in which malicious applications sneak through, as happened last year. This is where the case for mobile security products can be made.

Some simple precautions that end users can take include:

•    Watch out for unusually high battery consumption. Although this sounds simple, many threats written for mobile platforms are not designed to run efficiently, which means that resource usage can be extremely high.
•    Be sure to check the device’s Bluetooth settings. Ensure that devices are set to be “hidden” and not “discoverable.”
•    Keep track of your normal levels of data usage and contact your service provider if you become aware of significant increases that you cannot account for.
•    Report any prompts to send premium-rate messages.
•    Periodically confirm the applications installed on your mobile device and report any entries you did not specifically approve.
•    Avoid granting “Trusted Application” status unless absolutely required, which may allow malicious code access to confidential data:

As more and more developers move towards mobile application development, mobile devices are becoming ever more sophisticated and are increasingly being used to store critical personal data. Mobile device manufacturers will have to walk the fine line between providing comprehensive APIs and preventing malicious applications from gaining unfettered access to user content and other potentially sensitive data.

Special thanks to Henry Bell for his help researching this blog entry.

Fake AV & Talking With The Enemy – Symantec Security Blogs

cmosby — Thu, 18 Feb 2010 05:00:00 GMT

Fake AV & Talking With The Enemy

Peter Coogan

February 12th, 2010

Tags: Endpoint Protection (AntiVirus), Live PC Care, Security, Trojan.FakeAV, Security Response

Fake antivirus software (a.k.a misleading applications or rogue antivirus) is big business nowadays with Symantec reporting 43 million installation attempts from over 250 distinct programs between July 1, 2008, to June 30, 2009. With fake AV software costing the victim anywhere from $30 to $100, this is a lucrative earner for criminals.

Over time Symantec has observed various social engineering tactics being used to try and entice victims to hand over their money in this scam. The fake antivirus software known as Live PC Care has now gone as far as offering live online support to potential victims. Once a victim has installed Live PC Care onto their system via a system exploit or social engineering tactics, they are presented with the screen below falsely informing them that their system is riddled with viruses. Any suspicious computer user might wonder what this software is and where exactly it came from. To alleviate doubt and to aid with the whole scam, the designers of Live PC Care have added a yellow online support button in the top, right-hand corner of the fake AV software.

If a potential victim clicks on the online support button they are brought to a live support chat session. The authors of Live PC Care have taken advantage of a legitimate freeware live chat system called LiveZilla. This system allows Live PC Care victims to chat online with so-called “support agents”. The following screen shot below shows part of an online support conversation with a Live PC Care agent.

After a number of questions we determined that it was not an automated script, but rather a live person at the other end. The main aim of the online support session is to reassure suspicious victims that Live PC Care is legitimate software and that without activating the software at a cost, your computer system is at risk.

With fake AV authors now employing their own online support people, it demonstrates just how big business this scam is and how much the fake AV business model has changed since its initial conception a number of years ago.

Symantec detects Live PC Care as Trojan.FakeAV.
---------------------------------
Thanks to Hon Lau for his input on this blog.

New ZBOT/Zeus Binary Comes with a Hidden Message – TrendLabs Malware Blog

cmosby — Wed, 17 Feb 2010 05:00:00 GMT

img {max-width:650px;width: expression(this.width > 650 ? 650: true);border-style:none; behavior: url(../iepngfix.htc); }

Feb10

New ZBOT/Zeus Binary Comes with a Hidden Message

11:49 pm (UTC-7) | by Jonell Baltazar (Advanced Threats Researcher)

Trend Micro advanced threat researchers recently came across a new ZBOT/Zeus binary file detected as TROJ_ZBOT.BTM.

ZBOT/Zeus variants are well-known for stealing banking information from its victims via various social-engineering tactics (e.g., spammed messages, malicious links sent to social-networking site members in the guise of messages, and compromising legitimate sites), as evidenced by the following documented noteworthy occurrences:

Apart from the usual information-stealing tactics ZBOT/Zeus Trojans are known for, however, this new variant came with a hidden message that thanks and taunts some well-known antivirus companies for the help they provide the cybercriminals behind the malware to constantly improve on their craft. The said message, however, will only be visible after the binary file (version 1.3.3.3) unpacks and copies itself onto affected systems’ memory.

This taunting message shows that cyber criminals have systems that monitor the performance of AV companies in detecting their craft, and they are constantly updating their software to avoid detection.

Trend Micro™ Smart Protection Network™ already protects product users from this threat by blocking user access to the malicious site, http://{BLOCKED}p.com/consc/cons.exe, where the binary file could be downloaded via its Web reputation service and by detecting and preventing the file’s execution on affected systems via its file reputation service.

Non-Trend Micro product users, on the other hand, can also stay protected by using free tools like Web Protection Add-On, which was especially designed to block user access to potentially malicious websites in real-time.

Searches for Super Bowl News and Bill Cosby’s Supposed Death Lead to FAKEAV- TrendLabs Malware Blog

cmosby — Wed, 17 Feb 2010 05:00:00 GMT

img {max-width:650px;width: expression(this.width > 650 ? 650: true);border-style:none; behavior: url(../iepngfix.htc); }

Feb12

Searches for Super Bowl News and Bill Cosby’s Supposed Death Lead to FAKEAV

3:12 am (UTC-7) | by Danielle Veluz (Technical Communications)

It is that time of the year once again for football enthusiasts and sports fanatics alike with the latest season of Super Bowl. The Super Bowl is one of the U.S. television broadcasting industry’s top-rating shows, drawing thousands of live viewers each game. This year, according to Nielsen, 106.5 million viewers reportedly watched the games, some 24 percent of whom, according to Mashable, watched online.

This is probably why cybercriminals take advantage of the show’s popularity, trying to lure unsuspecting fans via blackhat search engine optimization (SEO) techniques. This is, of course, no longer new, it has happened before but that did not stop cybercriminals from using the same tactics again to push a FAKEAV to online viewers.

Trend Micro threat analysts found that searching for “Super Bowl 44 airtime” in Google led to results that redirected users to malicious sites that claim to contain the information they are looking for.

Upon clicking the link, a prompt alerts users of supposed malware infections, an all-too-familiar tactic rogue antivirus peddlers use to sell their malicious wares.

Also, apart from exploiting an attention-grabbing sports event, cybercriminals have taken advantage of another actor’s supposed death—that of comedian, Bill Cosby—to propagate the exact same FAKEAV variant detected by Trend Micro as TROJ_FAKEAL.SMDP.

As in previously featured blackhat SEO attacks, users face the same risks yet again, including credit card theft:

Trend Micro™ Smart Protection Network™ protects product users from these threats by blocking user access to malicious sites and detecting and preventing the download of harmful binary files such as packupdate_build7_195.exe aka TROJ_FAKEAL.SMDP.

Non-Trend Micro product users, on the other hand, can also stay protected by using free tools such as Web Protection Add-On.

ZBOT Variant Spoofs the NIC to Spam Other Government Agencies – TrendLabs Malware Blog

cmosby — Wed, 17 Feb 2010 05:00:00 GMT

Feb14

ZBOT Variant Spoofs the NIC to Spam Other Government Agencies

6:32 pm (UTC-7) | by Oscar Abendan (Technical Communications)

Spammers are becoming bolder, targeting even government agencies such as the National Intelligence Council (NIC) to further their malicious causes.

Trend Micro fraud analysts were recently alerted to the discovery of spammed messages that purported to come from the NIC—the Intelligence Community (IC)’s center for midterm and long-term strategic thinking. The NIC provides intelligence reports to members of the IC, including the National Security Agency (NSA).

Independent security researcher, Brian Krebs, in his blog confirmed that these messages were spoofed due to several obvious reasons, including:

The email address used in the spammed messages was nic@nsa.gov.
Another version purported to come from admin@intelink.gov. Extracting the header information, however, revealed that the real sender’s email address was {BLOCKED}@sh16.ruskyhost.ru.
The spam run also specifically targeted email addresses with .gov and .mil domain names.

The spammed messages persuaded recipients to download the .EXE file attachment, a spoofed version of the NIC’s “2020 Project.” In reality, however, the file is a ZBOT variant detected as TROJ_ZBOT.SVR.

Like its well-known predecessors, this ZBOT variant is also an information stealer, as evidenced by the following published reports:

Trend Micro product users need not worry, however, as Smart Protection Network™ protects them from this threat by preventing the spammed messages from even getting into their inboxes via the email reputation service and by detecting and blocking the download of the malicious .EXE file via the file reputation service.

Non-Trend Micro product users can also stay protected via HouseCall, a free tool that identifies and removes all kinds of viruses, Trojans, worms, unwanted browser plug-ins, and other malware from affected systems.

Zeus Campaign Targeted Government Departments – Websense Alerts

cmosby — Wed, 17 Feb 2010 05:00:00 GMT

Zeus Campaign Targeted Government Departments

Date:02.08.2010

Threat Type: Malicious Web Site / Malicious Code

Websense Security Labs™ ThreatSeeker™ Network has discovered a new Zeus campaign (a banking data stealing Trojan) which is now targeting government departments. Our research shows that the campaign has especially targeted workers from government and military departments in the UK and US: we found most victims' email addresses end with .gov.

Figure 1 - Zeus Campaign:

Our ThreatSeeker™ Network has seen thousands of emails which pretend to be from the National Intelligence Council (see Figure 2). The email subjects include: "National Intelligence Council"
"RE: National Intelligence Council"
"Report of the National Intelligence Council"

Figure 2 - Content of the email:

The spoofed emails lure victims to download a document about the "2020 project"; this is actually a Zeus bot. The Web sites which host the bot look very trustworthy: one of them is a compromised organization Web site and the other is located on a popular file hosting service. The bot has rootkit capabilities and connects to C&C servers at update[removed].com and pack[removed].com to report back on a successful infection and to download some archives with DLLs, it also modifies the hosts file to prevent updates from popular anti-virus vendors.

Websense® Messaging and Websense Web Security customers are protected against this attack, however the anti-virus detection rate for this bot is currently at 26/40.

Black Hawk Down – F-Secure Weblog

cmosby — Fri, 12 Feb 2010 05:00:00 GMT

Black Hawk Down	Posted by Sarah @ 03:59 GMT \| Comments

Kudos to the Chinese authorities for shutting down an online hacker training operation known as the Black Hawk Safety Net.

The Black Hawk operation, which provides Trojan software and lessons in cyberattack techniques, comprises 12,000 paid subscribers and another 120,000 free members.

Three people who run the Black Hawk's website have been arrested, and the site has now been blocked from access. The police also seized nine servers, five computers and a car during the raid.

For further details, you can read it at Yahoo! News.

Cybercrime and the FIFA World Cup: 2010 Net Threat Website Launched – Symantec Security Response Blog

cmosby — Fri, 12 Feb 2010 05:00:00 GMT

Cybercrime and the FIFA World Cup: 2010 Net Threat Website Launched

Joshua Talbot

February 10th, 2010

I recall watching a Sandra Bullock film called “The Net” in the mid-nineties. It was about a software engineer, played by Bullock, who inadvertently became entangled in a web of cyber espionage and eventually had to fight for her identity (and even her life) in a flood of harrowing situations. One of the key plots in the film was that Bullock’s character was a recluse, rarely leaving her house and having virtually no life outside of cyberspace. This plot angle was a direct result of the budding age of the Internet and spurred popular discussions about how this newfangled “world wide web” was going to turn us all into hermits, cut off and desensitized to the real world around us.

I don’t know about you, but I still enjoy a nice walk in the park and dinner out with friends. However, it would seem that at least one group among us has grown quite desensitized to the finer points of the real world; these days, it seems nothing is off-limits to cybercriminals.

Now I know that criminals are often predators that take advantage of others, but it seems as if cybercriminals are a special breed. They operate in the shadows of the digital world, never having to see the faces or personal sides of their victims. To them, their victims are nothing more than a means to a credit card number on a screen. Thus, we see them regularly trying to steal from computer users by exploiting even the most tragic situations: the crash of Air France Flight 447 last year and the recent Haiti earthquake are two that come to mind. In the case of the latter, cybercriminals even developed widespread scams trying to steal from good Samaritans attempting to donate to the relief efforts.

So, if the lowest of the low cybercriminals will exploit even the most tragic news event, think how many are trying to take advantage of computer users by capitalizing on any possible weakness—news related or not. It’s a bit of an eye opener.

With such a major world event as the 2010 FIFA World Cup nearly upon us, it’s more important than ever for computer users to be vigilant in protecting themselves. Symantec has historically observed that nearly every major sporting event quickly becomes the target of malware authors and spammers to some degree. Below are a couple of examples of some online scams we’ve recently seen around major sporting events.

This first e-mail, purporting to offer information about how to attend the NFL Pro Bowl 2010, is actually an underhanded pharmaceutical spam campaign:

This next screenshot is of poisoned search engine results involving the NFL’s Super Bowl XLIV that appeared not even 24 hours after the contenders were crowned as champions of their respective conferences. The popular search term “Super Bowl 2010 Score” brought up 26 dangerous websites among the first 100 results. Likewise, “Super Bowl 2010 Line” included 23 dangerous sites popping up among the first 100 results.

This screenshot shows a few of the malicious links that appear after searching for “Super Bowl 2010 Line”:

Attracting more than 1 billion soccer fans, Symantec anticipates that the World Cup (which starts on June 11) will be one of the most targeted events by malware authors and spammers this year. So, Symantec wants to beat cybercriminals to the punch. Today, Symantec announced a dedicated website, www.2010netthreat.com, which will feature data, commentary, safety tips, and useful links for soccer fans surfing the Internet for news, tickets, and information on the World Cup.

Symantec has already begun monitoring additional network sensors in southern Africa to analyze traffic and provide important security-related information to customers looking to secure their networks against additional World Cup-related threats. Much of the threat activity will not be new to the world of cybercrime: spam, phishing, identity theft, ticket scams, viruses, Trojans, drive-by downloads, and denial-of-service attacks targeted at anything associated with the World Cup.

We think the Net Threat site will go a long way in helping soccer fans stay safe online during the flurry of malicious activity we anticipate around the World Cup. However, computer users need to remember that online threats are always present and so online security best practices, such as the following, should always be adhered to:

•        Always keep your entire computer system, including the operating system, applications, plug-ins, etc. up to date with the latest security patches.
•        Have security software from a legitimate vendor up to date and running at all times.
•        Never open email attachments from unfamiliar senders and even be wary of unexpected attachments from known senders.
•        Don’t click on hyperlinks or URLs in emails from unknown senders or that seem strange.
•        Don’t click on links in social networking messages, even if from a known “friend,” that seem out of character.
•        Don’t accept social networking “friend” or “follower” requests from individuals you don’t know.
•        Think twice before entering your real birth date or other sensitive information on social networking sites.
•        Check your online account privacy settings regularly.
•        Use complex and unique passwords for each of your online accounts, and change them frequently.
•        Don’t share your passwords with anyone.
•        Don’t answer yes when prompted to save your passwords to a computer. Instead, rely on strong passwords committed to memory or stored in a dependable password management program.

Valentine’s Day Searches Lead to Malware – McAfee Labs Blog

cmosby — Fri, 12 Feb 2010 05:00:00 GMT

Valentine’s Day Searches Lead to Malware

Wednesday February 10, 2010 at 9:11 am CST
Posted by David Marcus

No Comments
Trackback

5, 4, 3, 2, 1…malware!

It’s like clockwork, ain’t it? A popular holiday–such as Valentine’s Day–approaches and malware authors and cybercriminals ready for it.

I have done some Valentine’s Day searches for poisoned terms and found some nasty ones very quickly. Screensavers and ecards are always popular:

Even Rolex watches on Valentine’s Day are not safe:

Some of the poisoned terms I have seen today:

Valentine’s Day Screensavers
Valentine’s Day Downloads
Valentine’s Day Wallpaper
Valentine’s Day Rolex
Valentine’s Day eCards
Animated Valentine’s Day
Valentine’s Day Greetings
Valentine’s Day Cupids
Valentine’s Day Gift Ideas

Make sure you surf safely with SiteAdvisor and keep that machine updated!

Cybercrime and the FIFA World Cup: 2010 Net Threat Website Launched – Symantec Security Response Blog

cmosby — Fri, 12 Feb 2010 05:00:00 GMT

Cybercrime and the FIFA World Cup: 2010 Net Threat Website Launched

Joshua Talbot

February 10th, 2010

This screenshot shows a few of the malicious links that appear after searching for “Super Bowl 2010 Line”: