24 Apr Changing characters: something exotic in place of regular Latin script Maria Rubinstein
24 Apr CeCOS VIII - Hong Kong Michael
23 Apr Easter bunnies for all occasions Tatiana Kulikova
23 Apr An SMS Trojan with global ambitions Roman Unuchek
17 Apr New threat: Trojan-SMS.AndroidOS.Stealer.a Victor Chebyshev
16 Apr Would you like some Zeus with your coffee? Maria Vergelis
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
Spammers use all types of tricks to bypass spam filters: adding ‘noise’ to texts, inserting redirects to advertised sites, replacing text with pictures – anything to stop the automatic filter from reading the keywords and blocking the message. Recently, we’ve been seeing a trend to replace Latin characters with similar-looking symbols from other alphabets. This “font kink” is especially typical of phishing messages written in Italian.
Non-Latin characters are inserted in place of similar-looking Latin characters both in the “Subject” field and in the body of the message. Here is an example of what headers obscured with ‘foreign’ symbols look like:
The eighth annual Counter-eCrime Operations Summit (CeCOS VIII) was held in Hong Kong on April 8th , 9th and 10th, 2014.
The event brings together global leaders from financial services, technology, government, law enforcement, communications sectors and research centers.
Cybercrime fighters from the field examined:
- Public-source criminal tracking techniques
- Cloud and mobile malware forensics
- The latest crimeware and web-based attack schemes
- Bitcoin as a cybercrime tool
- Globalized industrial cybercrime event data sharing
- Ransomware scams menacing businesses
- Global approaches to securing the Domain Name System
CeCOS VIII was an open conference for members of the electronic-crime fighting community. The agenda is located at http://apwg.org/apwg-events/cecos2014/agenda and I had the opportunity to share recent research results on the second day of the event.
On the eve of Easter, we noticed an unusual chain of spam messages. The spammers offered various services: from reducing mortgage costs and helping repay a loan, to enhancing male sexual performance. Neither the subject nor the text of the message had any allusions to the approaching holiday; however, the links leading to the sites advertised by the slogans included Easter-themed keywords: eastertime, easterbunnies, greateastern.
Recently, we’ve seen SMS Trojans starting to appear in more and more countries. One prominent example is Trojan-SMS.AndroidOS.Stealer.a: this Trojan came top in Kaspersky Lab's recent mobile malware ТОР 20. It can currently send short messages to premium-rate numbers in 14 countries around the world.
But this is not all. Another Trojan, Trojan-SMS.AndroidOS.FakeInst.ef, targets users in 66 countries, including the US. This is the first case we have found involving an active SMS Trojan in the United States.
The situation surrounding attempted mobile malware infections is constantly changing, and I’d like to write about one recent trend. Over the last year, Trojan-SMS.AndroidOS.Stealer.a, a mobile Trojan, has become a leader in terms of the number of attempted infections on KL user devices, and now continually occupies the leading positions among active threats. For example, in Q1 2014 it accounted for almost a quarter of all detected attacks.
This SMS Trojan has actively been pushed by cybercriminals in Russia, and there have also been continual attempts to attack users in Europe and Asia. Infections with this Trojan have occurred virtually everywhere across the globe:
Cybercriminals often like to use a bogus letter to trick people into opening malicious attachments. There are two tricks that make this work: a message from a familiar name (a bank, social network, service provider or other organization that might interest the recipient) and an intriguing or alarming subject. An attack based on fake messages supposedly from coffee chain Starbucks combined the two.
In the first week of April 2014 we were at “The Symposium on Security for Asia Network" (SyScan), a “geeky” single-track conference located in Singapore.
I liked the friendly atmosphere from the very first slides of the event (as is seen above).
The program covered hardware and software attacks like “Car Hacking”, “Defeating SecureBoot”, “Point-of-Sale”-hacks (“Flappy Bird” injected on a mobile POS device was my favorite), “RFID”-hacks, “Anti-Virus Software” flaws, “Phone hacks”, “OS-Hacks” and a “Linux Memory Forensic” case study amongst others.
All of the presentations were of quite high quality in content and most of the speakers did a nice job presenting their content.
Much beer did flow at the “BarCon” at the end of day one ...
Many websites show different text depending on where the user lives. For instance, home pages of some portals show you the news and weather of your region by default, because you are most likely to be interested in this kind of information first of all.
Of course, spammers and fraudsters also make use of this approach.
The following letter, written in Spanish, advertises an easy way to earn money online:
The attached link directs users to times-financials.com, registered in October 2013, according to the information on whois:
“Moscow City dad makes $14,000 per month” – says the title.
From Moscow? Hmmm.
This month's Adobe Patch Tuesday revolves around Flash. This means the zero-days used by VUPEN to exploit Adobe Reader at CanSecWest last month go unpatched.
CVE-2014-0506 and CVE-2014-0507 deal with remote code execution and were both used separately at CanSecWest's Pwn2Own. (It looks like these CVEs were initially assigned CVE-2014-0511 and CVE-2014-0510.)
Absolutely all of the latest versions of Microsoft Word and some versions of Internet Explorer maintain critical vulnerabilities enabling remote code execution. Today, Microsoft releases two critical patches to close multiple vulnerabilities with each. Two important updates are released to address a batch file handling issue and another RCE hole in Microsoft Publisher. All of these are addressed with MS14-017 through MS14-020.
Both end users of Microsoft Office software and system administrators of SharePoint portals, Microsoft Office Web Apps servers, and even Apple Office for Mac users need to download and install these patches: MS14-017 and MS14-018.
These sorts of Office vulnerabilities are commonly and frequently the delivery vector for targeted attack spearphishing campaigns. Red October, NetTraveler, and Icefog, all abused Office vulnerabilities in their spearphishing campaigns. There are many more of these groups, and they will continue to actively pursue potential victims, in part using exploits for Office applications.
On the brighter side, Microsoft is doing a fantastic job of consistent response and update delivery. Accordingly, their software, while it continues to be heavily used, does not continue to remain even in the top 10 vulnerable software applications that we see. Those spots still go to Oracle's Java, Adobe's Flash and Photoshop, Apple's Quicktime, WinRAR, WinAmp and other media players, and other apps that are frequently targeted by commodity exploit packs.
The Internet Explorer vulnerabilities do not hit all of the Microsoft platforms in the same manner as the Word vuln this month, although critical RCE is enabled by every version of unpatched Internet Explorer code on at least one version of every Microsoft Windows platform. So, Internet Explorer 6, which no one should be using, maintains critical RCE on the now unsupported Windows XP SP3 and XP Pro x64 SP2. IE 7, 8, 9 all maintain critical RCE as well. Internet Explorer 10 is not affected. IE 11 on Windows 7 and Windows 8.1 maintains critical RCE, but moderate severity on Windows Server 2008 and Windows 2012 R2. The Windows Update software will smoothly make sense of all of the versioning and patch needs for you when run. Nonetheless, there are serious issues here that exploit packs likely will attack with fresh exploit code.