04 Dec ZeuS – now packed as an antivirus update Andrey Kostin
28 Oct ‘Nigerian’ letters - now with a Syrian twist Tatyana Shcherbakova
17 Apr Boston Aftermath Michael
09 Apr Absent-minded spammers Tatiana Kulikova
11 Mar The Brazilian Phishing World Cup Fabio Assolini
18 Oct Fraud abusing Google Docs Vicente Diaz
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
Last week, Kaspersky Lab identified a mass mailing of phishing letters sent in the name of leading IT security providers. The messages we detected used the product and service names belonging to Kaspersky Lab, McAfee, ESET NOD32 and many others.
The text and general layout of each letter followed the same template; only the senders’ names and the IT security solutions mentioned in the text were different. In their messages, the cybercriminals invited the reader to install an important security update for his/her security solution to guarantee protection against a new piece of malware supposedly ravaging the web. To do so, the user simply needed to open the attached ZIP archive and launch the executable file in it. Not surprisingly, the writers urged their victims to act immediately rather than spend time thinking about who might be behind this sudden urgent letter.
The continuing conflict and the complex political situation in Syria have created the perfect conditions for new ‘Nigerian’ scams. In recent months, there has been a surge in the number of Nigerian letters that contained some sort of reference to Syria; scammers sent messages both in the names of ordinary citizens of that country and on behalf of representatives of banks and humanitarian organizations. The texts of the messages made frequent use of words such as “turmoil”, “crisis” or “revolution”.
The scam messages, written in the names of representatives of reputed Syrian and UK banks, stated that their clients would like to transfer their multi-million savings from their accounts because of the unrest in Syria, and were looking for a partner who would help them to do so. Naturally, “compensation” was offered, of which the scammers were ready to tell the recipient either immediately or once they had received a reply. The scammers gave a contact phone number and an email address; the latter could be either the sender’s address or the personal email of the “bank’s client” who allegedly needed help. The scammer’s aim was to entice the victim into an email exhange. After all details of the future partnership are discussed, the victim will most probably be asked to perform a service, e.g. transfer a small amount of money to pay for the mediator’s services. When the money is transferred, the scammers will vanish just as suddenly as they appeared.
While many are still in shock after the Boston Marathon bombings on 16 April, it didn't take long for cyber criminals to abuse that tragic incident for their dirty deeds.
Today we already started receiving emails containing links to malicious locations with names like "news.html". These pages contain URLs of non-malicious youtube clips covering the recent event. After a delay of 60 seconds, another link leading to an executable file is activated.
The malware, once running on an infected machine, tries to connect to several IP addresses in Ukraine, Argentina and Taiwan.
Kaspersky Lab detects this threat as "Trojan-PSW.Win32.Tepfer.*".
MD5sums of some of the collected samples:
Our thoughts and prayers are with our colleagues in Massachusetts and others affected by the tragic events in Boston.
At the same time as the CNN newsletter scam, there has also been an epidemic of scam emails imitating Facebook notifications. In these emails, spammers suggested that users check out new comments on their photos. The mechanism used in the malicious link was the same as in the case described above. The most curious part, though, was that the scammers did not even bother to change the links. While in the former case the link included “cnnbrnews.html” after the domain name, the same ending in the link provided in fake Facebook messages looks out of place.
Unfortunately, this is the only part of the scam where the cybercriminals were careless. Emails containing the malicious links are still being distributed, so be cautious when handling suspicious messages.
The 2014 FIFA World Cup has already kicked off, at least for Brazilian bad guys. Next year’s big event in Brazil has become one of the most prominent tactics used by Latin American cybercriminals as they unleash a real avalanche of phishing messages, fraudulent prizes and giveaways, malicious domains, fake tickets, credit card cloning, banking Trojans and a lot of social engineering.
Indeed Brazil figured among the top five countries where users risk being caught ‘offside’ by phishing attacks, according to a recent study conducted by RSA and released in January. The country is in fourth place, along with the UK, USA, Canada and South Africa. So it's no big surprise to find four Brazilian brands in the Top 10 most targeted on PhishTank stats.
Offers range from alleged cash prizes, trips and tickets to watch the games, while the attacks involve massive phishing mailings, and, to add spurious credibility, stars of the national soccer team have been ‘signed up’ by the conmen. Here’s one example featuring Neymar, the latest Brazilian hero to be dubbed the new Pelé:
"Win a new car, cash prizes and tickets for the World Cup, just click and subscribe now"
Phishing is not exactly a ground-breaking technique. Quite the opposite, it seems like it has been around forever. This is an indicator of its effectiveness: we might think that it is unlikely that people would give away their banking credentials just because they are asked for them, but still there is a percentage who continue to become victims of one of the simplest fraud methods.
However both user awareness and anti-phishing tools are making harder for fraudsters to succeed in their attempts to get our money. We see this changing in the decrease in the percentage of spam. That is not the only reason: users are switching to new platforms such as social networks for direct communication.
Today I want to show you an example of the creativeness in avoiding spam and phishing filters.
Summer 2012 will be packed with sporting events. This week sees the Euro 2012 football championship kick off in Poland and Ukraine. The tournament will bring together 16 of Europe’s best teams, and football fans from all over the continent will be watching closely regardless of whether their country qualified for the finals or not. Official ticket sales for Euro 2012 were launched on 12 December 2011, but spammers – rather unusually for them – were in no hurry to exploit the event. The first mailing offering tickets to Euro 2012 was only detected at the beginning of January. Since Ukraine is one of the host countries for Euro 2012, there were lots of messages in Russian and Ukrainian. The afore-mentioned message offering tickets was just one of them.
It may not be in the same league as Christmas and New Year, but with every year Valentine’s Day is being exploited more and more by spammers. In the week before it is celebrated this year Valentine’s spam accounted for 0.3% of all spam.
We registered the first Valentine’s spam as far back as 14 January – a whole month before the holiday itself – and it struck us as being rather unusual.
Like the majority of spam mass mailings exploiting the Valentine’s Day theme, this particular mailing was in English. It is a well-known fact that the lion’s share of English-language spam is distributed via partner programs. (Unlike other parts of the world, the practice of small and medium-sized companies ordering spam mailings or sending out spam themselves is not very popular in the USA and most western European countries.) However, the first Valentine’s spam of the year bucked this trend and had nothing to do with a partner program.
This particular offer for Valentine’s Day gifts made use of coupon services.
As you can see from the screenshot, the recipient is urged to buy a small gift for their loved one making use of a discount, an offer which the company made via the major coupon service Groupon.
Coupon services have proved to be a big success around the world. Every day various websites offer special deals on anything from two to several dozen goods or services.
Groupon is one of the biggest Internet projects of its kind and it’s fairly easy to find its promo campaigns online. The site also informs its subscribers about new deals via email. The company that sent out the first Valentine’s spam detected by Kaspersky Lab used an advert for this major portal, the legitimate Groupon email campaign plus spam advertising.
We’ve already noted that for small companies coupon services are fast becoming a credible alternative to spam advertising. Judge for yourself: the method used to spread adverts is the same – via email, but spam filters don’t block legitimate mailings from major Internet resources. Another important advantage is that the firms that offer coupon services are not breaking the law. The size of the mailing may well be less than a spam mailing that a company could order, but the legitimate mailing is sent out to the relevant region and the recipients are genuinely interested in special offers sent by coupon services. As a result, a targeted, legitimate mailing can be more effective than the typical ‘carpet bombing’ associated with traditional spam.
Coupon services have had a noticeable impact on mail traffic and Internet advertising. They have also affected spam. There are now a number of spam categories associated with coupon services.
The first is that of unsolicited mailings by the services themselves. This category of spam is quite rare – the more serious companies don’t want to tarnish their reputation by being associated with spam. However, some start-ups trying to break in to the market are willing to resort to spam in an attempt to attract subscribers or to allow their platforms to be used for promotions by other companies.
Another category of ‘coupon’ spam is that which simply uses the word “coupons” instead of “discounts” to make goods or services more attractive to users. These spam mailings can offer ‘coupons’ for some of the most unexpected items. For instance, the people behind pharmaceutical spam think nothing of offering a small discount on medications and passing it off as a coupon.
A third category of coupon spam includes things like the Valentine’s spam mentioned above. This involves a company whose offers are already available via a coupon service attempting to reach a wider audience by resorting to spam. As I see it, this approach is counterproductive. The majority of users react negatively to spam, and using it to advertise will only do harm to a company’s reputation. This is especially important as many coupon services rely on the trust of their users. Spam, therefore, can actually work against a coupon service, reducing the effect of a promotion instead of enhancing it.
The potential popularity of coupon services carries with it a specific threat. Users of the services tend to leave some money on their account balance so they can spend it at any time on a deal that takes their fancy. Although the amount of money stored on such accounts may not be very much, it is still likely to attract phishing attacks against the customers of coupon services.
So as not to play into the spammers’ hands, or to avoid falling victim to a phishing attack, when using these coupon services, users need to follow three simple rules:
Coupon services often send purchased coupons as an attachment in an email. If you have not purchased any coupons from the service, there’s a chance that an email attachment might be malicious. If you are not sure whether or not you bought the coupon, you can always check by entering your account. We have not yet detected a malicious attachment disguised as a coupon. Nevertheless, we recommend that users be careful – spammers that participate in partner programs are usually the first to react to new opportunities, including those that involve spreading malicious code. It’s just a matter of time before this type of spam traffic appears.
“Nigerian” spammers are extremely quick to react to the world’s hottest news stories. News of the death of former Libyan leader Muammar Gaddafi had barely even broken before a string of emails from the “relatives of the deceased” began to appear.
Gaddafi’s inconsolable relatives would be amazed if they knew how many emails had been sent in their name to Internet users around the world.
Instead of joining in the funeral rites, it looks like Gaddaffi’s sons and daughters, or his wife, his brothers or even friends, have rushed straight to their PCs to write to people all over the world asking for help in spiriting uncountable millions of dollars out of the country.
According to the “Nigerians”, the family of the Libyan leader is worth hundreds of millions of dollars. The emails which fell into my hands cited a minimum figure of $300 million.
Most of these emails purport to come from “Gaddafi’s wife”. The spammers seem to think their heart-rending stories about her hard life in her husband’s family could explain her sudden desire to share his money with her close friends. Or even with distant strangers, depending on the recipient of the email.
She’s not alone, though: an unlikely coalition of “opposition forces”, “lawyers” and “bank clerks who have access to Gaddafi’s accounts” also share the general desire to transfer the Colonel’s money abroad.
“Nigerian” spam is, of course, pure fraud. None of Gaddafi’s wives or even his lawyers will ever send emails to someone they do not know asking for help in getting millions of dollars out of the country and offering an unknown agent the commission for doing so. If a user takes the bait the fraudsters will extort money from him to allegedly cover different “expenses” until no more money is left. One should be realistic about the many offers received via the Internet from an unverified source calling himself Colonel Gaddafi’s son (ALL OF A SUDDEN!).
Below are the screenshots of several “Nigerian letters” sent on behalf of Gaddafi’s family: