Spam

On 20 March, we detected a spam campaign targeting passengers of US Airways. Almost the entire week cybercriminals were sending users the following email allegedly from US Airways:

There is a brief description of the check-in procedure and a confirmation code is provided for online reservation.

The criminals are obviously banking on any recipients flying on the flight mentioned in the email clicking on the link "Online reservation details".

Different emails contained different links — for example, we noticed the following domains: sulichat.hu, prakash.clanteam.com, panvelkarrealtors.com.

After clicking the link a series of redirects eventually leads to a domain hosting BlackHole Exploit Kit.

In their attempts to bypass e-mail filtering systems and deliver their information to users, spammers often resort to all sorts of tricks. Although really new tricks (such as distributing mp3 files with voice-generated messages) are relatively uncommon, sometimes they do come up.

Kaspersky Lab analysts have recently come across a few curious samples. While masking text with noise is nothing out of the ordinary, the links were arranged in a rather unusual way.

The trick itself turned out to be rather simple and has been relatively harmless so far: a URL in the message is a request to a website that is vulnerable to SQL injection. The code yields one string, which is a spam link (in this case, a typical pharmacy ad). This is where the browser is redirected – naturally, if the original site allows such code to be executed.

Some instances we encountered during a week of observations demonstrate that following a large-scale SQL-attack LizaMoon many website owners took relevant security measures and finding suitable “donors” on a mass scale was not at all that simple.

It’s February, and that means Valentine’s Day-related spam. Lots of it! There are already loads of adverts offering expensive alcohol and chocolates, jewellery and leather goods, romantic trips for two etc.

Other goods that are traditionally advertised in spam, such as fake designer watches and Viagra, have also exploited the Valentine’s Day theme to grab the attention of email recipients. The spammers appear convinced that there’s no better time than 14th February to increase your libido or buy cheap replicas of designer watches:

So far, this year’s Valentine’s Day spam has been mostly harmless, but we would like to warn our readers once again that the first half of February usually sees a surge in malicious links appearing in emails that appear to be for virtual greeting cards. So, be careful if you receive an e-card – make sure it has come from a genuine source before clicking any links.

Kaspersky Lab will be following developments closely in the run-up to Valentine’s Day.

You might think if you don't use Internet banking, you're not going to be targeted by phishers. Or you might have heard about phishing attacks targeting PayPal and eBay users, so you're careful not to fall for fake emails from these organizations. But even if you're reasonably security aware, there are phishing messages out there designed to catch you out!

We got a message today which seemed to come from Blizzard:

Of course, this message is designed to get people to give up their account details. Whoever created this email was smart enough not to include any links in the message – after all, lots of people are now on the lookout for signs of a typical phishing message. Looking for other typical signs doesn't reveal very much: the mail client shows the sender address as wowaccountadmin@blizzard.com, although the email was actually sent from wowaccountadmin@blizzarid.com.

So what should you do if there aren't any obvious signs that a message is a fake? One simple rule will help you protect yourself: if you get an email asking for your password or other confidential details, assume it's a fake unless you can verify it by other means.

Today our spam traps caught a phishing email targeting Paypal users that we detect proactively as Trojan-Spy.HTML.Fraud.gen.

Of course such emails normally aren't anything special - the interesting bit about this one is that it's in Dutch. This falls in with my prediction towards the end of last year that we'd start to see an increase in the use of Dutch (which is, after all, a minority language) in cyber scams.

A bit of searching through our archives showed that this mail was a re-run from an attack that occurred last week. This indicates that the first one was probably reasonably successful – if not, why resend the same email?

Although it's pretty good, the Dutch is not exactly perfect. This in itself might alert users to the fact that something is not quite legitimate. And the bad guys forgot another major factor – although the email is in Dutch, the site that it links to isn't. Hopefully this will act as a red flag so that recipients don't enter their data on the site.

Our Mexican email addresses started receiving messages on the 19th and 20th of February that looked like standard greeting card emails.

Of course, the messages were fake. The links in the messages sent users to a completely different site – they all led to http://72.9.134.130/~rockybob/ (naturally, we've obscured the link).

Once the user is on this site, a specially crafted php script gets executed, which downloads a malicious file called TarjetasNico.exe from another site.

Quite a few people have already said that we can expect to see an increase in malicious code spreading as Valentine's Day approaches. And no surprises – here it is. For the last couple of day, we've been receiving mass mailings of messages which supposedly will bring joy to the recipient, but which actually have a very different end result – a computer loaded with malware.

Here's an example: Smiley Kiss http://217.X.X.X/. When the user opens the link, he or she will see a picture like the ones below:

I must say that there are interesting times in the Netherlands. Normally we don't see Dutch used often in spam and phishing emails, but there's been a real spike the last 10 days.

It began last week on Monday with two simultaneous spam runs in Dutch: one about a supposed nuclear accident in Amsterdam and one purportedly from a girl called Polina who was in need of a 'friend'. Both of these spam runs tried to convince the user to install one and the same codec, which in reality was a Trojan-Spy.Win32.Zbot variant.

After this incident there was a spam run in Dutch concerning helpnumee.com. This site claimed to be part of the Aids foundation and was asking for donations. Obviously this was a fraud.

And then last night I saw a Dutch phishing email trying to steal Windows Live logins. We've notified the local CERT and hope that the site gets taken down promptly.

The quality of the Dutch varies from incident to incident, but overall has greatly improved over the attacks from six months ago. The Windows Live phishing email was an exception: it was written rather badly. However, the sad reality could be that the attackers are trying to mimic teenage slang as part of their social engineering strategy.

If these incidents are a sign of more to come than I foresee 2008 being a very interesting year for Dutch users.

For many of you, once again it's vacation time. While you are sitting on the beach and enjoying the sun in Ibiza or Sorrento, your friends at home may be receiving infected e-cards from you.

During the past days, we've intercepted a number of fake mailings which purportedly come from various e-card systems, such as Hallmark. Few examples:

They all seem to be following the same pattern - an URL is included which leads to a malicious file, usually a downloader. Once you get to run it on your system, it brings more malware which will eventually turn your computer into a spam sending zombie.

So if you send a greeting to your friends at home, consider using an old fashioned postcard. Besides being a lot safer, I think it's also more personal!

Wishing you happy and malware free vacations!

Yesterday I came across something interesting. An email caught by some of our mailtraps, written in poor Dutch, about a site which can get you free sex.

Obviously I was interested in the matter as this didn't look like a typical spam email. These days most Dutch spam emails are about casinos. The site mentioned in the email contained a version of the popular MS XML exploit, MS06-71. We already detected this particular variant as
Trojan-Downloader.JS.Psyme.il.

The purpose of the exploit is to download and execute a backdoor, which we are now detecting as Backdoor.Win32.VB.bcv. After discovery we notified GOVCERT, the Dutch CERT, and they acted quickly to have the site taken down.

Next to this incident we're also picking up increased activity of the gang behind the later variants of Backdoor.Win32.MSNMaker, which is mostly spreading in The Netherlands as well.

Malicious emails/messages tailored to the Dutch market have been rare, but they are on the up. People can no longer assume that emails/messages in Dutch are automatically benign and will have to start being more careful.