17 Apr Boston Aftermath Michael
11 Mar The Brazilian Phishing World Cup Fabio Assolini
06 Nov A Quick Look at the Twitter Phish Rotating through Domains Kurt Baumgartner
18 Oct Fraud abusing Google Docs Vicente Diaz
12 Oct Stealing currency permits from the Government Dmitry Bestuzhev
28 Sep A race against the spammers Maria
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
While many are still in shock after the Boston Marathon bombings on 16 April, it didn't take long for cyber criminals to abuse that tragic incident for their dirty deeds.
Today we already started receiving emails containing links to malicious locations with names like "news.html". These pages contain URLs of non-malicious youtube clips covering the recent event. After a delay of 60 seconds, another link leading to an executable file is activated.
The malware, once running on an infected machine, tries to connect to several IP addresses in Ukraine, Argentina and Taiwan.
Kaspersky Lab detects this threat as "Trojan-PSW.Win32.Tepfer.*".
MD5sums of some of the collected samples:
Our thoughts and prayers are with our colleagues in Massachusetts and others affected by the tragic events in Boston.
The 2014 FIFA World Cup has already kicked off, at least for Brazilian bad guys. Next year’s big event in Brazil has become one of the most prominent tactics used by Latin American cybercriminals as they unleash a real avalanche of phishing messages, fraudulent prizes and giveaways, malicious domains, fake tickets, credit card cloning, banking Trojans and a lot of social engineering.
Indeed Brazil figured among the top five countries where users risk being caught ‘offside’ by phishing attacks, according to a recent study conducted by RSA and released in January. The country is in fourth place, along with the UK, USA, Canada and South Africa. So it's no big surprise to find four Brazilian brands in the Top 10 most targeted on PhishTank stats.
Offers range from alleged cash prizes, trips and tickets to watch the games, while the attacks involve massive phishing mailings, and, to add spurious credibility, stars of the national soccer team have been ‘signed up’ by the conmen. Here’s one example featuring Neymar, the latest Brazilian hero to be dubbed the new Pelé:
"Win a new car, cash prizes and tickets for the World Cup, just click and subscribe now"
A Twitter phishing scheme is spreading its wings, as the previous couple of phishing domains used by this scheme late last week have been taken down. So its operators have decided to put up multiple effective domains. Here are a couple of things to look for.
When you are using a browser like Google Chrome and you are visit twitter.com, the browser displays a green url indicator that the domain has been verified by an extended SSL CA. Now, with the CA breaches that we've seen in the past year (the Diginotar breach report was finalized this past week), that may not mean everything. But, in this case, here is how you might verify that you are using the legitimate twitter site:
This Direct Message attracts phish with a dramatic notice: "Hey you hear about the gossip your mentioned in? it started some serious drama, it fired up a lot of people on here". There are a handful of messages in use, as the GFI guys mentioned here last week.If you were to click on that bit.ly shortened link, your browser will be redirected through a click tracking service:
Do not enter your username and password at this site. Also, there are at least a half dozen other domains that look fairly close to "twitter.com", like this one. These guys are using all of them with the same page and graphics to tempt you into entering your credentials. This theft can be a risk if you re-use your passwords across accounts. Also, there is often other personal information within these twitter accounts, like the user's email address used to create the Twitter account. So please keep an eye out for this sort of play on word recognition-domains.
Phishing is not exactly a ground-breaking technique. Quite the opposite, it seems like it has been around forever. This is an indicator of its effectiveness: we might think that it is unlikely that people would give away their banking credentials just because they are asked for them, but still there is a percentage who continue to become victims of one of the simplest fraud methods.
However both user awareness and anti-phishing tools are making harder for fraudsters to succeed in their attempts to get our money. We see this changing in the decrease in the percentage of spam. That is not the only reason: users are switching to new platforms such as social networks for direct communication.
Today I want to show you an example of the creativeness in avoiding spam and phishing filters.
A few days ago, the latest VBSpam results were published. The testing, conducted by Virus Bulletin in August, saw Kaspersky Linux Mail Security 8.0 detect 99.93% of all the spam messages used in the test. This is a new record for Kaspersky of which we are very proud (if the number of congratulatory emails flying back and forth between us is anything to go by). Eugene Kaspersky also mentioned the result in his blog (http://eugene.kaspersky.com/2012/09/27/kaspersky-server-anti-spam-no-longer-the-underdog-more-top-dog/) – he’s proud of us too :)
I’m pretty sure that most of you guys know about the recent phone scam which is circulating right now. They have been calling a lot of people in countries such as Germany, Sweden, the UK and probably more. The scam is pretty simple; they pretend to be from a department within Microsoft which has received indications that your computer is infected with some malware. They will then offer (for free) to verify if this is the case. If the victim agrees on this, they will ask the victim to perform certain actions, and also type certain commands, which will trick a non-experienced user that the output is actually showing that the computer is infected.
I just want to mention that there is no such department at Microsoft, and they would never call up customers offering this. So if you ever get a call ‘from Microsoft’ stating that there are some indications that your computer is broken or infected - please hang up!
Well, they have called me several times, and finally Ii got fed up with this and started to play along. At the same time I had my virtual machines running and was recording everything that they were doing. The goal was to find out who they were and exactly what the scam was. Luckily I was able to get hold of information such as their internal IP addresses, the PayPal accounts used to wire money and the numbers they are calling from.
After having handled thousands and thousands of phishing emails/webpages, they usually don’t actually reach me in any way or form. They are processed and added to our detection list in what is now a merely routine task. But recently I got a mail which was different because it appeared to be sent from my bank.
We wrote in our predictions for 2011 about cyber attacks that steal everything. In fact cybercriminals are interested in stealing all kinds of data, including the miles you accumulate in frequent flyer programs. Customers of Brazilian airline companies are being targeted by a flood of phishing messages whose goal is to steal customer’s accounts and their miles in the frequent flyer programs maintained by local airlines. The miles stolen from customers are becoming a new kind of currency among Brazilian cybercriminals and phishers, who can use them to issue tickets for themselves, sell tickets to other criminals or use them in barter schemes.
The attacks involve the sending of phishing messages in mass mailings that promise more points in a frequent flyer program or offer a supposed prize. In some attacks the customer is asked to re-register on a fake website:
"Register now and earn more miles in the frequent flyer program"