News on Spams

FBI: Hundreds Of Thousands May Lose Internet In July

Posted on


Cybersecurity

WASHINGTON (AP) — For computer users, a few mouse clicks could mean the difference between staying online and losing Internet connections this summer.

Unknown to most of them, their problem began when international hackers ran an online advertising scam to take control of infected computers around the world. In a highly unusual response, the FBI set up a safety net months ago using government computers to prevent Internet disruptions for those infected users. But that system is to be shut down.

The FBI is encouraging users to visit a website run by its security partner, http://www.dcwg.org , that will inform them whether they’re infected and explain how to fix the problem. After July 9, infected users won’t be able to connect to the Internet.

Most victims don’t even know their computers have been infected, although the malicious software probably has slowed their web surfing and disabled their antivirus software, making their machines more vulnerable to other problems.

Last November, the FBI and other authorities were preparing to take down a hacker ring that had been running an Internet ad scam on a massive network of infected computers.MORE

IMG0893.zip – Your photo all over Facebook? Naked? Malware campaign spammed out

Posted on Updated on


SophosLabs is intercepting a spammed-out malware campaign, pretending to be an email about a revealing photo posted online of the recipient.

The emails, which have a variety of subject lines and message bodies, arrive with an attached ZIP file (IMG0893.zip) which contains a Trojan horse.

Malicious email

Subject lines used in the spammed-out malware campaign include:

  • RE:Check the attachment you have to react somehow to this picture
  • FW:Check the attachment you have to react somehow to this picture
  • RE:You HAVE to check this photo in attachment man
  • RE:They killed your privacy man your photo is all over facebook! NAKED!
  • RE:Why did you put this photo online?

Subject lines used in the spammed-out malware campaign

The message bodies contained inside the email can also vary. Here are some examples:

    • Hi there ,
      I got to show you this picture in attachment. I can't tell who gave it to me sorry but this chick looks a lot like your ex-gf. But who's that dude??.
  • Hi there ,
    I have a question- have you seen this picture of yours in attachment?? Three facebook friends sent it to me today... why did you put it online? wouldn't it harm your job? what if parents see it? you must be way cooler than i thought about you man :)))).
  • Excuse me,
    But i really need to ask you - is it you at this picture in attachment? I can't tell you where I got this picture it doesn't actually matter... The question is is it really you???.MORE

Fake Instagram app infects Android devices with malware

Posted on


InstagramTempted to try out the much talked about Instagram app? Well, be careful where you get it from – as malware authors are distributing malware disguised as the popular app.

It’s a rain cloud on a summer’s day for the Instagram photo-sharing smartphone app, which is otherwise having a glorious time right now.

First of all, Instagram released a first version for Android and managed to get five million downloads in less than a week.

Then the 13-employee firm managed to sell itself to Facebook for a cool $1 billion, making some of us wonder about privacy, and others think – “to heck with that, do I have a program that’s never earnt any money that I might be able to flog to Mark Zuckerberg?”.

Naturally, the Facebook acquisition news raised Instagram to even higher levels of public awareness and that’s where the bad guys stepped in.

Cybercriminals have created fake versions of the Instagram Android app, designed to earn money from unsuspecting users.MORE

Duqu Malware, son of Stuxnet raises questions of origin and intent

Posted on


Laptop spy

Early today Symantec published an inside look at a new targeted malware attack called Duqu. This might not be important news if it weren’t for its ties to Stuxnet.

Early analysis of Duqu shows it has evolved from the Stuxnet codebase. We shouldn’t jump to conclusions that it was developed by the same authors, but whoever created this malware likely had access to the original source code used to compile Stuxnet.

The components that were reused were not the pieces used to target SCADA/industrial control systems, but rather related driver files that provide the malware the ability to download additional components.

Symantec reports that after it retrieves the additional malicious files it is focused on gathering information rather than industrial sabotage.

SophosLabs confirms that the driver files are signed, similar to the drivers used by Stuxnet. In this case the certificate purports to belong to C-Media, a Taiwanese firm known for their embedded audio chipsets.

Signature of driver file:

SHA1 hash of file: A5190A8E01978C903BF1FABCFCBA40D75996D8B9
Signing Certificate Chain:
Issued to: Class 3 Public Primary Certification Authority
Issued by: Class 3 Public Primary Certification Authority
Expires: 3/08/2028 12:59:59 AM
SHA1 hash: A1DB6393916F17E4185509400415C70240B0AE6B

Issued to: VeriSign Class 3 Code Signing 2009-2 CA
Issued by: Class 3 Public Primary Certification Authority
Expires: 21/05/2019 12:59:59 AM
SHA1 hash: 12D4872BC3EF019E7E0B6F132480AE29DB5B1CA3

Issued to: C-Media Electronics Incorporation
Issued by: VeriSign Class 3 Code Signing 2009-2 CA
Expires: 3/08/2012 12:59:59 AM
SHA1 hash: 83F430C7297FBF6C1D910B73414132DB48DBDE9C

This may not be a coincidence, as Stuxnet used certificates that appeared to belong to RealTek and JMicron, two other embedded chip manufacturers in the same neighbourhood.

The mystery remains, however. Were these certificates stolen, or simply generated through compromised certificates to appear to belong to these organizations?

As with Stuxnet, it is too early to determine anything definitive about the who, why or what this malware was designed to do. I can assure you that the security industry will be analyzing these samples diligently to determine their intent.

Sophos customers are protected against the primary sample of this malware as Troj/Bdoor-BDA and the malicious driver files as W32/Duqu-A. SRC

Horrible blog going around about you? Or a Twitter phishing attack?

Posted on


Malicious Twitter

You may not realise it, but your Twitter account is worth money.

Cybercriminals are keen to compromise your Twitter account, so they can spam out messages (either as public tweets, or less obvious direct messages to your online friends) in the hope that some recipients will click on the links.

What lies at the end of the links can vary. It might be a webpage offering you a new wonder diet, or a pornographic website, or a link to a download designed to infect your computer.

But first they need to commandeer your Twitter account, and the simplest way for them to do this is just to ask you for your Twitter username and password.

Here’s an example of the latest attack that has been seen on Twitter. The message arrives in the form of a direct message (DM), and has a pretty enticing reason for you to click on the link: more

Google’s Picasa and Yahoo! Groups used to spread spam

Posted on


No spam mailbox

One of the most effective techniques anti-spam products have to block spam messages from reaching your inbox is reputation filtering.

Yes, to a degree, anti-spam solutions may still look for v1@gr@and Mrs. Gaddafi offering you $40 million, but the biggest bang for your buck comes from reputation.

What do you do if you are a spammer? Figure out a way to get a legitimate mail provider to deliver your messages for you…MORE

Hurricane Irene clickjacking scam on Facebook

Posted on


Hurricane Irene

States in the USA, such as Vermont and New Jersey, are continuing to deal with heavy flooding in the aftermath of Hurricane Irene.

And we weren’t surprised to find internet scammers attempting to profit from other people’s misery.

For instance, here is a clickjacking scam which at the time of writing is still active on Facebook.

Hurricane Irene Facebook clickjacking scam

This Facebook page reads:

VIDEO SHOCK - Hurricane Irene New York kills All

All? Hmm.. that would be a rather fanciful claim even for the most sensationalist tabloid report. But maybe it will be enough to make you click further.

Hurricane Irene Facebook clickjacking scam

BAM! Too late. You’ve been clickjacked. Even before you’ve had a chance to notice that the page is suddenly talking to you in Italian, the webpage has taken your click onto what you thought was the video’s play button and secretly behind-the-scenes tricked you into saying you “Like” the page – thus promoting it to your online Facebook friends.

If you were running an add-on like NoScript for Firefox you would have been protected by a warning message:

Hurricane Irene Facebook clickjacking scam intercepted by NoScript

But let’s imagine that you weren’t protected. What happens next?

Hurricane Irene Facebook clickjacking scam

The page insists that you share the link to the Facebook page, presumably in an attempt to increase its viral spread. So far things don’t seem to be working well for the scammers – as only 12 people have said they “Like” the page (and one of those is my test account). Maybe folks are suspicious about a claim that Hurricane Irene has killed *everyone* in New York.

Hurricane Irene Facebook clickjacking scam

You’re still keen to watch the video, of course, but first the scammers want you to take an online survey – which not only asks you for personal information but also can earn them commission.

If you are hit by a scam like this you should remove the page from the list of pages that your Facebook profile likes..

Unlike Hurricane Irene Facebook clickjacking scam

..and remove it from your newsfeed, reporting it as spam to Facebook.

Remove Hurricane Irene Facebook clickjacking scam

The good news is that this particular scam hasn’t become widespread, but many others do.

If you’re a Facebook user and want to keep up on the latest threats and security news I would recommend you join the Sophos Facebook page - where more than 100,000 people regularly discuss the latest attacks.

UK student loans targeted by phishers in latest spam campaign

Posted on


With British students about to start another year at university, the last thing they probably want to hear is that there is a problem with a student loan.

But that’s precisely the camouflage that online scammers are using to steal personal information today.

An email, claiming to come from Directgov UK, tells students that there is a problem with the online account for their student loan, and they need to update their account urgently.

Here’s a typical spammed-out message we’ve seen in our traps:

Student loan phishing attack

Subject:

Student Loan Update.

Message body:

Dear Student Finance Customer.

We at HM Government noticed your Student loan online log in details is incorrect and need to be updated.

DOWNLOAD THE ATTACHMENT TO UPDATE YOUR ACCOUNT NOW

Regards
Inline Verification. Directgov UK.

Attached file:

Student Loan Update.html

Clicking on the HTML attachment is not a good idea, however, as it will urge you to enter your details which are then sent via a website to the phishers.

Student loan phishing attack

Sophos products block the message as spam, and block the webpage that the HTML form is attempting to post the personal information.

Remember to always be suspicious of unsolicited attachments. Also, I would hope that a good student would have noticed the grammatical mistake in the phisher’s email..