20 May Jumcar. From Peru with a focus on Latin America [First part] Jorge Mieres
18 May NoSuchCon 2013 Stefano Ortolani
17 May Malicious PACs and Bitcoins Fabio Assolini
13 May Telecom fraud — phishing and Trojans combined Dong Yan
27 Apr CeCOS VII Michael
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
In January we published the first of our malware wallpaper calendars. Here's the latest wallpaper.
Hopefully you'll find it eye-catching and it gives you the chance to see at-a-glance some of the significant malware-related events from the past.
TV Series such as “The Simpsons” are hugely popular and have hundreds of thousands of fans around the world. Unlike “Southpark” - another hugely popular series - not all of them are freely available on the web though. As such, there is a high demand on the web for such episodes and as usually happens, scam tactics appear around them. Here’s one such example that we have seen recently on the popular website Dailymotion:
Over the last few days, we received numerous reports of computers infected with fake anti-virus (scareware). The name of this particular culprit is Antivirus 8.
The interesting thing about these cases is that the users were getting fake anti-virus browser pop ups while not actively using the computer. During our research we noticed that these pop-ups would appear right when ICQ was fetching/displaying new ads.
I installed ICQ and noticed the following after letting it run for a couple of minutes to fetch ads:
This page is hosted on [snip]charlotterusse.eu.
Going by the added iframe, it looks like this store's ad server was hacked, right? Not quite. I did some digging around and found that none of these servers - other than charlotterusse.com - are actually related to this brand of clothing.
This means that somebody went through the trouble of pretending to be this store. This is done to make sure the ad distributor will actually run the campaign, as these distributors frequently get approached by fraudsters.
However, what makes this case particularly interesting is that the bad guys make it seem like their server got hacked. By making it look like their server got compromised, the criminals can claim it isn't them who's responsible for distributing the malware. But rather someone else who hacked their server to spread malware. The ad distributor is very likely to simply give them a warning, which gives these criminals at least one more shot at infecting more machines.
This is another example of how trusted programs can be a used to attack computers. It goes to show that anti-malware protection is needed no matter what the circumstance.
We've sent a notification to yieldmanager, who is the ad distributor in this case. We've not heard back from them at the time of writing.
Install our screensaver and discover the full potential of Kaspersky Security Network! Download at: http://irida.kasperskyclub.com/scr.zip
A new Twitter worm is spreading fast, using the “goo.gl” URL shortening service to distribute malicious links.
Our users are protected from this worm and all the URLS are being blacklisted in our products.
Here are some of the technical details:
Those “goo.gl” links are redirecting users to different domains with a “m28sx.html” page:
This IP address will then do its final redirection job, which leads to the Fake AV website:
Right after that, to speed-up the recruitment process, the messages came via Windows Live Messenger (aka MSN):
And of course, the criminals also used legitimate accounts that had been hacked to spread their messages. Finally, right before the end of the year I saw a big campaign on Facebook, especially targeting Spanish speaking communities. But yesterday I was completely surprised when I found an advertising banner on a legitimate IT site leading to the same page – money mule recruitment.
All these developments make think there is a huge demand on the black market for money mule workers. The criminals seem to have enough stolen information like credit card PINs, as well as details for online banking accounts and payment systems. Their problem now is how to launder the money they have made. Our statistics confirm there is a clear growth in Trojan-Spy malware able to steal any kind of personal information. This includes well known Trojans like Zbot (Zeus) or SpyEye.
It’s worth remembering that money mule activity is considered illegal. Basically, if nobody wanted to launder their money, cybercriminals would find it much harder to make money from stolen account details. Everyone can contribute in their own way to the global security, not just AV and other Security companies.
Programs for cracking commercial software are, sadly, not unpopular. They have also caught the attention of malware writers, who prepared a couple of surprises for those who don’t mind a free ride every now and then.
A short time ago, we detected a Trojan dropper which passes itself off as a key generator for Kaspersky Lab products. The file’s name is kaspersky.exe.
Once launched, the file displays a key generator window prompting the user to select a product. After one of the options is selected, the program proceeds to generate a key.
While the freebie lover is waiting for the result, two pieces of malware that were stealthily installed and launched by the dropper make themselves at home on the PC.
One of these is detected by Kaspersky Lab as Trojan.MSIL.Agent.aor. It steals registration data for other programs, as well as passwords, mostly for online games. It rather considerately stores all the stolen data in one file. A fragment of the file is shown on the screenshot below.
Cybercriminals like to register domain names that are very similar to actual, well known domain names but with one or more letters changed. In many cases a potential victim will mistype a letter and in this way arrives at a fake Web site instead of the original one.
Here is just one example of this: a copy of the official Russian Web page of Kaspersky. The criminals added just one small line inside of the ‘downloads’ tab promoting a fake download for a free, one year copy of Kaspersky Internet Security 2011.
Instead of KIS 2011 the victim gets malware. This is ransomware which, after the installation, forces a reboot of your PC. Upon completing the reboot the malware shows a fake message that you’ve won a prize of a Samsung Galaxy S cellphone for just 1200 rubles (40 USD)! To claim this prize, you should pay via SMS text or, optionally through one of the popular on-line payments systems in Russia.
Kaspersky Anti-Virus detects this threat as Trojan-Ransom.MSIL.FakeInstaller.e In the time of writing of this blogpost the malicious site was still on-line and also detected by Kaspersky Internet Security Web Anti-Virus as a fraudulent one.
What happens when all of your personal data is readily available for use by a cybercriminal?
Last November we published a blog talking about Brazilian phishing attacks that displayed the victims’ CPF numbers - the Natural Persons Register, the equivalent of a Social Security Number used by the Brazilian government to identify each citizen. A CPF is the most important document a Brazilian citizen possesses. It’s a prerequisite for a series of tasks like opening bank accounts, getting or renewing a driver’s license, buying or selling real estate, receiving loans, applying for jobs (especially public ones), getting a passport or credit cards, etc.
But this incident was just the tip of the iceberg.
Due to our constant monitoring of malicious activities, we found some bad guys offering access to a complete database of all Brazilian citizens that have a CPF – all you need to do is contact a number and the system will bring you the complete personal data of a potential victim. The database is complete and contains data about every Brazilian, including myself.
The search results display your full name, date of birth, address, filiations, city, zip code, etc – all easily available to a cybercriminal.
We found 3 mirrors of this website offering this kind of ‘service’ to Brazilian bad guys – it’s a service that we call C2C (cybercriminals to cybercriminals).
Using such data it is possible for a cybercriminal to impersonate a victim and steal their identity in order to access resources or obtain credit and other benefits in that person's name. Another example of malicious use involves Internet banking access – if you are performing an online operation, your bank will probably ask for some personal information to confirm your identity. Having access to this information provides the cybercriminals with the first step towards a targeted attack using your data.
You are probably wondering how the cybercriminals obtained this kind of information. Basically, it occurred through incidents of data leakage – not only from governmental departments, but via e-commerce and other corporate entities that have had their databases attacked and their data stolen, too.
Nowadays, we see that the problem of protecting private information is not just confined to users, but applies equally to governments and corporations alike. Brazil isn’t the only country in the world facing such problems either. Over the course of time, governmental and corporate databases in many other nations have reported similar instances of sensitive information about citizens or employees being leaked.
The Brazilian authorities are currently investigating this incident.
We’ll keep researching this issue and will keep you updated.