17 Apr Boston Aftermath Michael
16 May Carolina Dieckmann, Brazilian cybercrime legislation and la “Viveza criolla” Dmitry Bestuzhev
07 Nov Gaddafi’s death in spam Maria
13 Apr Lab Matters - Malware in Spam Messages Ryan Naraine
05 Jul Spammers hacked pool Michael
15 Feb Need a Valentine‘s gift? Christian
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
While many are still in shock after the Boston Marathon bombings on 16 April, it didn't take long for cyber criminals to abuse that tragic incident for their dirty deeds.
Today we already started receiving emails containing links to malicious locations with names like "news.html". These pages contain URLs of non-malicious youtube clips covering the recent event. After a delay of 60 seconds, another link leading to an executable file is activated.
The malware, once running on an infected machine, tries to connect to several IP addresses in Ukraine, Argentina and Taiwan.
Kaspersky Lab detects this threat as "Trojan-PSW.Win32.Tepfer.*".
MD5sums of some of the collected samples:
Our thoughts and prayers are with our colleagues in Massachusetts and others affected by the tragic events in Boston.
“Nigerian” spammers are extremely quick to react to the world’s hottest news stories. News of the death of former Libyan leader Muammar Gaddafi had barely even broken before a string of emails from the “relatives of the deceased” began to appear.
Gaddafi’s inconsolable relatives would be amazed if they knew how many emails had been sent in their name to Internet users around the world.
Instead of joining in the funeral rites, it looks like Gaddaffi’s sons and daughters, or his wife, his brothers or even friends, have rushed straight to their PCs to write to people all over the world asking for help in spiriting uncountable millions of dollars out of the country.
According to the “Nigerians”, the family of the Libyan leader is worth hundreds of millions of dollars. The emails which fell into my hands cited a minimum figure of $300 million.
Most of these emails purport to come from “Gaddafi’s wife”. The spammers seem to think their heart-rending stories about her hard life in her husband’s family could explain her sudden desire to share his money with her close friends. Or even with distant strangers, depending on the recipient of the email.
She’s not alone, though: an unlikely coalition of “opposition forces”, “lawyers” and “bank clerks who have access to Gaddafi’s accounts” also share the general desire to transfer the Colonel’s money abroad.
“Nigerian” spam is, of course, pure fraud. None of Gaddafi’s wives or even his lawyers will ever send emails to someone they do not know asking for help in getting millions of dollars out of the country and offering an unknown agent the commission for doing so. If a user takes the bait the fraudsters will extort money from him to allegedly cover different “expenses” until no more money is left. One should be realistic about the many offers received via the Internet from an unverified source calling himself Colonel Gaddafi’s son (ALL OF A SUDDEN!).
Below are the screenshots of several “Nigerian letters” sent on behalf of Gaddafi’s family:
Head of Content Analysis and Research Darya Gudkova joins Ryan Naraine on this episode of Lab Matters to talk about the use of spam e-mails to launch malware attacks.
In recent spam mails we have often noticed links to *.html files with random names. Another trend is that the cybercriminals do not even bother to register domains for their dirty deeds, but simply plant their malicious code on compromised hosts. "Simply?" one may ask, and sadly the answer seems to be "yes" based on our observations.
For example, we have collected some hundred mails of a certain type promoting online software shops - a small portion is shown in the animated gif image below.
All of the samples stick out by virtue of the fact that they contain colored text/links which point to compromised legitimate websites. The links also show that the locations of the files are directly on the root URLs and not in a subfolder of some vulnerable application as we usually see.
Another sample reaching us today just confirms that the cybercriminals are not sparing with the domains they abuse, and indeed seem to have a pool of unknown quantity at their disposal. The capture below shows a spam mail where each of the 12 links in the mail body points to a unique site. All of these sites also contain malicious code in their root which we detect as 'Trojan-Clicker.JS.Agent.*'
Please do not attempt to visit these links shown if you are not sure of what you are doing.
It’s the same every year: as soon as Valentine's Day gets close, all the spammers concentrate on this event to spread unsolicited mails – sometimes with malicious little gifts.
An alltime favorite gift when it comes to Valentine's Day: flowers! This spam offers great savings when you buy flowers, but tries to trick you into a subscription, where you’ll get charged $9.95 every month via your credit card. Make sure you don't fall for it!
There have been a lot of variants of Email-Worm.Win32.Iksmas around lately. Now that Valentine's Day is over, we might have expected to see a few less of them, but no.
There's been a new flood of mass mailings spreading Iksmas - instead of professions of endless love, these messages are offering money saving coupons. And who's going to say no to a special offer?
The name of the worm executable varies, but all the names have one thing in common - save.exe, nocrisis.exe, etc. all reference the economic situation.
Of course, special offers are great, and we could all use a bit more cash.But stick to offers you know are genuine; if you go for scams like this, you're just putting money in the spammers' pockets.
Quite a few people have already said that we can expect to see an increase in malicious code spreading as Valentine's Day approaches. And no surprises – here it is. For the last couple of day, we've been receiving mass mailings of messages which supposedly will bring joy to the recipient, but which actually have a very different end result – a computer loaded with malware.
Here's an example: Smiley Kiss http://217.X.X.X/. When the user opens the link, he or she will see a picture like the ones below:
I must say that there are interesting times in the Netherlands. Normally we don't see Dutch used often in spam and phishing emails, but there's been a real spike the last 10 days.
It began last week on Monday with two simultaneous spam runs in Dutch: one about a supposed nuclear accident in Amsterdam and one purportedly from a girl called Polina who was in need of a 'friend'. Both of these spam runs tried to convince the user to install one and the same codec, which in reality was a Trojan-Spy.Win32.Zbot variant.
After this incident there was a spam run in Dutch concerning helpnumee.com. This site claimed to be part of the Aids foundation and was asking for donations. Obviously this was a fraud.
And then last night I saw a Dutch phishing email trying to steal Windows Live logins. We've notified the local CERT and hope that the site gets taken down promptly.
The quality of the Dutch varies from incident to incident, but overall has greatly improved over the attacks from six months ago. The Windows Live phishing email was an exception: it was written rather badly. However, the sad reality could be that the attackers are trying to mimic teenage slang as part of their social engineering strategy.
If these incidents are a sign of more to come than I foresee 2008 being a very interesting year for Dutch users.
For many of you, once again it's vacation time. While you are sitting on the beach and enjoying the sun in Ibiza or Sorrento, your friends at home may be receiving infected e-cards from you.
During the past days, we've intercepted a number of fake mailings which purportedly come from various e-card systems, such as Hallmark. Few examples:
They all seem to be following the same pattern - an URL is included which leads to a malicious file, usually a downloader. Once you get to run it on your system, it brings more malware which will eventually turn your computer into a spam sending zombie.
So if you send a greeting to your friends at home, consider using an old fashioned postcard. Besides being a lot safer, I think it's also more personal!
Wishing you happy and malware free vacations!