16 Apr Would you like some Zeus with your coffee? Maria Vergelis
09 Apr The omnipresent dad Maria Rubinstein
06 Mar Fraudsters are playing a different kind of card game Maria Rubinstein
20 Feb Your Facebook account has won a prize! Maria Rubinstein
04 Dec Putting malware in the picture Tatyana Shcherbakova
06 Nov Stealing user's password with Free Online Forms Dmitry Bestuzhev
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
Cybercriminals often like to use a bogus letter to trick people into opening malicious attachments. There are two tricks that make this work: a message from a familiar name (a bank, social network, service provider or other organization that might interest the recipient) and an intriguing or alarming subject. An attack based on fake messages supposedly from coffee chain Starbucks combined the two.
Many websites show different text depending on where the user lives. For instance, home pages of some portals show you the news and weather of your region by default, because you are most likely to be interested in this kind of information first of all.
Of course, spammers and fraudsters also make use of this approach.
The following letter, written in Spanish, advertises an easy way to earn money online:
The attached link directs users to times-financials.com, registered in October 2013, according to the information on whois:
“Moscow City dad makes $14,000 per month” – says the title.
From Moscow? Hmmm.
The now-notorious arsenal of ‘Nigerian’ tricks has been enriched with yet a new scam.
A Peter Gamba (or Gamaba?) from Uganda is asking for help: in his homeland he faces the threat of persecution for his sexual orientation. The sender claims he is threatened with jail or even death. But he has money - $3,300,000. The message then follows the usual scenario – you take his money, put it to your bank account and get 20% of it in return for your help.
There are plenty of fraudulent messages with the content along the lines of “your email address won a million dollars in a lottery, please contact us to claim your prize”. Internet scammers use this trick to trick users into giving away money: before they can claim their alleged prize the “lucky winners” have to pay tax or a bank charge for a money transfer, etc.
We have now come across an interesting variation of this trick, which involves a Facebook account instead of an email address.
Now, why does Eduardo Saverin (a real person and one of the founders of Facebook) need to know my Facebook username if my account has already won a prize? But an unsuspecting user, blinded by the promise of a huge prize, may not think about that – and that’s what the scammers are counting on.
I’m sure the readers of this blog wouldn’t fall for something like a “Facebook prize”, but our relatives and friends have accounts too, and they may not be so experienced in the ways of online fraud. That’s why they should be warned that such letters are nothing but a scam.
Spammers actively spread malware using fake notifications on behalf of various financial and banking institutions, booking and delivery services and other companies. The arsenal of tricks used by cybercriminals is constantly being updated. In particular, in recent years we have registered a number of English- and German-language mass mailings in which the attackers try to hide malware under photos and pictures.
In October, the attackers sent out fake notifications claiming to be from T-Mobile, a telecoms operator in Germany, which told users that they had received an MMS. To make the email look legitimate, the sender address contained the official company domain although the email itself was sent from a different address. The body of the email included a contact phone number for sender of the MMS and some general information related to sending and receiving multimedia messages.
The supposed photo named ‘23-10-2013 13_64_09.jpeg.exe’ was not in the body of the email but in the attached archive ’23-10-2013 43_69_10.zip’. The scammers used the popular JPEG image file format in the name of the malicious file in the hope that it would convince recipients that the archive did in fact contain the photo. However, alert users would notice that the file extension is really .exe. This executable file is detected by Kaspersky Lab as Backdoor.Win32.Androm. This bot program allows the fraudsters to remotely execute commands on the infected computer, for example, downloading and running other malware without the owner's knowledge.
The continuing conflict and the complex political situation in Syria have created the perfect conditions for new ‘Nigerian’ scams. In recent months, there has been a surge in the number of Nigerian letters that contained some sort of reference to Syria; scammers sent messages both in the names of ordinary citizens of that country and on behalf of representatives of banks and humanitarian organizations. The texts of the messages made frequent use of words such as “turmoil”, “crisis” or “revolution”.
The scam messages, written in the names of representatives of reputed Syrian and UK banks, stated that their clients would like to transfer their multi-million savings from their accounts because of the unrest in Syria, and were looking for a partner who would help them to do so. Naturally, “compensation” was offered, of which the scammers were ready to tell the recipient either immediately or once they had received a reply. The scammers gave a contact phone number and an email address; the latter could be either the sender’s address or the personal email of the “bank’s client” who allegedly needed help. The scammer’s aim was to entice the victim into an email exhange. After all details of the future partnership are discussed, the victim will most probably be asked to perform a service, e.g. transfer a small amount of money to pay for the mediator’s services. When the money is transferred, the scammers will vanish just as suddenly as they appeared.
Adverts for medication to improve male sex drive are a staple of spam mailings. Like any other unsolicited messages, emails of this nature have evolved with time and today’s versions no longer merely contain promises of enahnced potency and a link to a site selling pills. In August and September we noted a series of mailings that used the names of well-known companies, that looked just like typical phishing messages. However, instead of a phishing site the links they contained led to an advert for “male medication”.
All the messages in the mailings were made to look as though they had come from FedEx, Google, Twitter, Yahoo and other popular companies and services. One of those names was usually used in the ‘From’ field of the messages. The text body in the messages imitated official letters from the companies, including logos and signatures from ficticious employees. It was all meant to convince recipients that the emails were genuine. But an attentive user would easily notice from the sender’s address that it was anything but genuine, and was most probably generated automatically. There were several variants of message within a mass mailing.
The spammers used a number of pretexts to get users to click the links. For example, some emails imitated legitimate messages about undelivered emails, profile registration, deleting of unread emails, etc. The messages were intentionally very short, prompting the recipient to click the link in order to find out more information. But the link actually redirected to an advertising site for pharmaceutical spam.
Lately, our traps have been catching emails like these:
In them someone with a very English name is asking to book a hotel or air tickets for their family. A naïve recipient would think “Ah, wrong address”.
At the same time as the CNN newsletter scam, there has also been an epidemic of scam emails imitating Facebook notifications. In these emails, spammers suggested that users check out new comments on their photos. The mechanism used in the malicious link was the same as in the case described above. The most curious part, though, was that the scammers did not even bother to change the links. While in the former case the link included “cnnbrnews.html” after the domain name, the same ending in the link provided in fake Facebook messages looks out of place.
Unfortunately, this is the only part of the scam where the cybercriminals were careless. Emails containing the malicious links are still being distributed, so be cautious when handling suspicious messages.