06 Mar Fraudsters are playing a different kind of card game Maria Rubinstein
05 Mar Mystery shopper: Beware of Frauds Tatiana Kulikova
05 Mar Tor hidden services – a safe haven for cybercriminals Sergey Lozhkin
05 Mar A ‘gift’ for Apple’s valued customers Tatyana Shcherbakova
03 Mar CODE BLUE in Tokyo Michael
28 Feb The Future of Bitcoin After the Mt. Gox Incident Stefan Tanase
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
The now-notorious arsenal of ‘Nigerian’ tricks has been enriched with yet a new scam.
A Peter Gamba (or Gamaba?) from Uganda is asking for help: in his homeland he faces the threat of persecution for his sexual orientation. The sender claims he is threatened with jail or even death. But he has money - $3,300,000. The message then follows the usual scenario – you take his money, put it to your bank account and get 20% of it in return for your help.
Offers to work as a mystery shopper are a common trick used by fraudsters. They give you a chance to work in your free time, and if you agree, they send you a fake check with a huge sum of money, which is supposed to compensate the costs of goods and research. Any remaining money left over after the work is returned to the fraudsters. When the bank annuls the check as a fake, the secret shopper is left out of pocket.
But as users become more aware of online dangers, scammers have had to resort to various types of tricks to achieve their goals, such as disguising scammer mailings as a mailing from a large company specializing in working with secret shoppers. The message, sent on behalf of Mystery Shopper Inc., prompted the user to look at a description of the vacancy, but the attached link led to another resource that also specializes in this type of market research.
The real address of the scammer’s page was revealed after clicking the attached link. Obviously, it had nothing to do with Mystery Shopper Inc. official resources.
Over the last few months I have been closely monitoring so-called Darknet resources, mostly the Tor network. And one thing that is immediately obvious is that the cybercriminal element is growing. Although, the Tor infrastructure and cybercriminal resources are not on the same scale as the conventional Internet, we managed to find approximately 900 hidden services online at the current time. There are also approximately 5,500 nodes in total and 1,000 exit nodes, but the possibility of creating an anonymous and abuse-free underground forum, market or malware C&C server is attracting more and more criminals to the Tor network.
Cybercriminals have started actively using Tor to host malicious infrastructure. We found Zeus with Tor capabilities, then we detected ChewBacca and finally we analyzed the first Tor Trojan for Android. A quick look at Tor network resources reveals lots of resources dedicated to malware – C&C servers, admin panels, etc.
Hosting C&C servers in Tor makes them harder to identify, blacklist or eliminate.
In January we detected a phishing mailing that was sent on behalf of Apple. The messages contained an offer to purchase a card giving a discount of 150 euros in any European AppStore for only 9 euros. The senders also underlined that only valued customers were eligible to receive the card.
To place an order for the card, Apple fans had to open an attached HTML page and fill in all the fields, such as information about the user’s bank card, including the three-digit security code stated on the reverse of the card.
In exchange, the scammers promised to send a discount card via email within 24 hours. But evidently it was just another scam to trick users. The fraudsters also used the Apple logo and automated subscriptions at the end of the message to confuse victims.
The scammers didn’t just target logins and passwords for personal accounts but also users’ banking information, and in order to achieve their goal they are willing to promise anything. Inexperienced users may find it difficult to see through the fraud, but requests for confidential bank information or data that gives access to personal accounts are a clear sign of a phishing scam.
On February 17th (MON) - 18th (TUE), 2014 we were at an event in Tokyo called “CODE BLUE”, a new international information security conference originating from Japan.
Even though this conference was being held for the first time, no less than 400 visitors attended, with people coming from about 10 different countries.
The overall atmosphere at the event was kind and friendly and everything seemed to go smooth and swiftly.
Topics on the first day were the keynote by Jeff Moss, followed by presentations about “The Current State of Automotive Security”, “A Security Barrier Device”, “Remote linux exploits” and hard-/software related hard disk matters.
For the Japanese speakers among you there’s a more detailed review of the event here.
No doubt it’s been a crazy week for anyone even remotely interested in Bitcoin. Mt. Gox, once the largest Bitcoin marketplace out there, has shut down, putting a bitter end to an almost month-long situation in which all withdrawals were halted because of “technical issues”.
Mt. Gox BTC price evolution in February 2014, source: Clark Moody
As customers were unable to move their funds out from Mt. Gox, the world’s most famous exchange essentially became isolated from the rest of the Bitcoin ecosystem, making the Bitcoin price traded on Mt. Gox plummet to as low as $100 for 1 BTC before the exchange went completely offline.
In our forecast for 2014, we’ve stated that attacks on Bitcoin, specifically attacks on Bitcoin pools, exchanges and Bitcoin users will become one of the most high-profile topics of the year. These attacks will be especially popular with the fraudsters as their cost-to-income ratio is very favorable.
While the Mt. Gox incident might be the most significant in Bitcoin history to-date, as it is rumored to be worth 744,408 Bitcoins, or more than $300 million at current BTC prices, the only question that remains unanswered is what actually caused it.
The tales spun by Nigerian scammers often amaze with their ability to exploit and adapt the same type of scam to a whole variety of situations. Most of these situations are tragic, either related to someone’s death or political turmoil. That’s why an attempt to give away one’s money (or huge part of it) as a vow to God may well come as a complete surprise.
The vow was given by an engineer who had decided to give away tens of thousands of dollars to a randomly chosen user from the Internet. According to his story, he signed a very lucrative contract in Australia, but after finishing his part of the contract, his work wasn’t paid. The desperate engineer swore to God to give away $250,000 to some random person if he received his money. Of course, the story had a happy ending and recently, the Australian government agreed to pay up. And now the happy engineer has to fulfill his vow and is ready to give $250,000 to the lucky recipient.
Although Google confirms the existence of Mr. Brady’s company, the promise of a large sum of money shouldn’t be taken too seriously. Suspicions should immediately be raised by the fact that a private businessman is writing from an address with the domain fbi.gov.
We hope that nobody ends up responding and paying for Mr. Brady’s holy vow. After all, a happy end for the scammers often spells tragedy for the victims.
Spammers are relentless in their attempts to bypass anti-spam filters and confuse recipients of spam. Recently we detected a mass mailing disguised as an automated reply to a request to unsubscribe from a news blog. The authors noted their regret at losing one of their subscribers and asked if the user really wanted to unsubscribe.
Phrases like “We regret your decision to unsubscribe” do indeed appear in responses sent following requests to unsubscribe. However, there followed some unusual text in which the senders also regretfully informed the recipient that they had also unsubscribed him from other information mailings on subjects such as:
These are typical spam topics which, in this case, were disguised as information blocks. Why were the messages so suspicious? Because the senders didn’t even mention the name of the blog, site or journal from which the user was supposed to have unsubscribed.
The name of the unsubscribed service wasn’t in the sender’s domain name either – the address contained only one phrase that translates as “driving license right now” (spammers frequently use words related to the topic of the message in new domains), and the messages were sent in the month the domain was created. There were no links to prolong the subscription. It looks like the spammers thought that any interested users would reply to the message and receive a whole variety of spam mailings related to the chosen topic.
An even more insolent mailing stated that for a certain amount of money the spammers would tell the recipient how they found out his/her email address and why the mail box was full of spam messages. The information cost just $3.50. In order to pay for the information, the user had to click a link at the end of the message.
The link led to the site called End of Spam where the user could view a full pricelist. For instance, the user could remove his/her email address from spam mailing lists for a $1.50 payment via PayPal. Information on how the spammers found out about the user’s email address cost $3.50. The fraudsters reminded the user to state their email address so that they “know which email address to unsubscribe”.
All of the links led to a PayPal page with a set payment document. If the user was already authorized in PayPal system, he/she simply had to press the button “Buy Now” and transfer his/her money to goodness knows where.
Of course, this is unlikely to halt the spam mailings – it’s hard to believe that the senders know all the spammers in the world and can stop their mailings at the request of a user. Besides, after the money transfer, the stream of unsolicited correspondence may even increase after the address is confirmed as being valid and the user’s naivety is noted. In the worst case scenario, the user’s personal data from the money transfer payment could be used.
Virus writers of Android Trojans have traditionally used Windows malware functionality as a template. Now, yet another technique from Windows Trojans has been implemented in malware for Android: for the first time we have detected an Android Trojan that uses a domain in the .onion pseudo zone as a C&C. The Trojan uses the anonymous Tor network built on a network of proxy servers. As well as providing users with anonymity, Tor makes it possible to display ‘anonymous’ sites in the .onion domain zone that can only be accessed in Tor.
There are plenty of fraudulent messages with the content along the lines of “your email address won a million dollars in a lottery, please contact us to claim your prize”. Internet scammers use this trick to trick users into giving away money: before they can claim their alleged prize the “lucky winners” have to pay tax or a bank charge for a money transfer, etc.
We have now come across an interesting variation of this trick, which involves a Facebook account instead of an email address.
Now, why does Eduardo Saverin (a real person and one of the founders of Facebook) need to know my Facebook username if my account has already won a prize? But an unsuspecting user, blinded by the promise of a huge prize, may not think about that – and that’s what the scammers are counting on.
I’m sure the readers of this blog wouldn’t fall for something like a “Facebook prize”, but our relatives and friends have accounts too, and they may not be so experienced in the ways of online fraud. That’s why they should be warned that such letters are nothing but a scam.