Security and Privacy » spam

Fake Firefox update

derek — Wed, 19 Oct 2011 21:15:22 +0000

Lots of spam emails circulating with following content

New update arrive.

Your security is our top priority. Our open source security process means we have an international community of experts working around the clock to monitor the latest threats. As soon as a security threat is discovered, we write a patch and release an update to stay one step ahead. Downloading Firefox updates is a very important part of staying safe online. Firefox is constantly evolving as our community finds ways to make it better, and as we adjust to the latest security threats. Keeping your Firefox up-to-date is the best way to make sure that you are using the smartest, fastest and . most importantly . safest version of Firefox available. A Firefox update will not make any changes to your bookmarks, saved passwords or other settings. However, there is a possibility that some of your Add-ons won.t be immediately compatible with new updates. Re-installing Firefox will not affect your settings, bookmarks or preferences in any way. A Firefox software update is a quick download of small amounts of new code to your existing Firefox browser. These small patches can contain security fixes or other little changes to the browser to ensure that you are using the best version of Firefox available. Update in a click : firefox-7.0.1

needless to say the download is a trojan, identified by several antiviruses as carpberb and by others as Z-bot Please don’t fall for it Firefox 7 isn’t out yet, although it will be soon

new malware spam- order.zip

derek — Tue, 10 May 2011 11:07:51 +0000

There is a new spam bot out there sending a malware link. see screenshot

screenshot of typical spam email

all emails so far appear to originate from a Ukrainian server noc.maximuma.net 91.196.148.8 which may or may not have been hacked, but web searches suggest that lots of spam & malware is being distributed via that server hosting company

So far I have seen several different sites hosting the malware and the senders & recipient email addresses are all random or spoofed

At present antivirus detection is very sporadic but samples have been sent to all known AV companies so I do expect a better detection rate very shortly

The current payload is always order.zip, which when extracted pretends to be order.doc but has a lot of spaces then .exe so simply clicking on it will infect you

It appears to be a downloader or installer for one of the fake Antivirus programs, that currently plague us.

You can see a quick automatic analysis on the Anubis website From previous experience of this sort of malware and the locations it installs itself to , I would not be at all surprised if the malware shown in the Anubis report also installs the TDL4 bootkit

Update: they have changed the email slightly to something that resembles a previous attack attempt and included a “your credit card will be charged with xxxxx $

That always gets the unwary to follow the link, to check if it is their card that has been falsely charged

Revised updated email, showing alleged credit card charge

Results are coming in from many antivirus companies now, saying that it is a version of the spyeyes crimeware toolkit. Spyeyes is well described in this Symantec blog

Beware of New year e-cards

derek — Sat, 01 Jan 2011 17:18:00 +0000

Please avoid all untrusted Happy New Year e-card links. The Shadowserver Foundation is warning of a new malicious and advanced botnet that has just been discovered and ressembles the Storm Worm designs.

New Fast Flux Botnet for the Holidays: Could it be Storm Worm 3.0/Waledac 2.0?
http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20101230
Those of us here at Shadowserver hope you’re having a wonderful holiday season and are ready to bring in the new year. We were trying to relax and enjoy relatively quiet times until we noticed a new spam campaign that recently started. At first it looked like your regular old holiday e-card scams that have been around for years.

However, upon closer inspection it looks like we could be dealing with the next generation of Storm Worm or Waledac. If you consider Waledac to be Storm Worm 2.0, this looks like it could be version 3.0 or at least Waledac 2.0. There are no real version numbers of course, but we don’t have anything else to call it yet. What’s it involve you ask?

CHARACTERISTICS OF NEW BOTNET

Well here’s the list of what we’ve seen so far:

* Large scale Spam campaigns sending out e-mails with links
* New malicious domains that are fast flux! (TTL of 0 and name servers that frequently update IPs)
* Links are to several hacked websites hosting HTML pages that refresh to new malicious domains
* Links are also directly to new malicious domains
* Malicious domains hosting links to fake flash player and refreshes to exploit pages
* Malware installs that begin beaching to several hosts over HTTP (what we dubbed HTTP2p with Waledac)
* Malware that’s been updated to look a bit more like legitimate than past variants
* A very buggy network that is not often available (upstream devices not available)
* Changing/Updated binaries

AVOID THESE E-CARD MESSAGES:

Let’s start with the Spam Campaign. We’ve seen a multitude of subject lines and bodies. Below you’ll find a list of subjects we’ve seen and an example e-mail message. These are coming from all over the Internet with spoofed sender addresses.

Greeting for you!
Greeting you with heartiest New Year wishes
Greetings to You
Happy New Year greetings e-card is waiting for you
Happy New Year greetings for you
Happy New Year greetings from your friend
Have a happy and colorful New Year!
l want to share Greeting with you
New Year 2011 greetings for you
You have a greeting card
You have a New Year Greeting!
You have received a greetings card
You’ve got a Happy New Year Greeting Card!

Skype Update scam

derek — Thu, 30 Sep 2010 09:59:06 +0000

Following on from my previous post, the scammers are also using Skype

Fake Skype website

The fake website looks like this and the membership page is exactly the same as shown previously

Skype email scam

Once again Don’t fall for it only only use the genuine Skype site to download skype & update it

Adobe Reader Update Scam

derek — Thu, 30 Sep 2010 09:13:30 +0000

There are about to be updates issued for Adobe reader to plug security holes and vulnerabilities. The scammers have jumped in on the act and are sending emails pretending to be from an Adobe update service.

Adobe PDF scam email

If you are foolish enough to follow the links then you end up on a scam site trying to sell you an unknown PDF reader, BUT the sting is that you don’t just download & try it or even buy it outright. Oh no ! you have to create a membership and give all your details before you even find out how much is being taken from your bank or credit card.

Don’t fall for it and only update Adobe reader from the official Adobe site, when the actual Update is released ( It is expected in Early October 2010)
Or of course use an alternative PDF reader of your choice, Just be aware that PDF vulnerabilities do affect all PDF readers and some might not get updated as quickly as others. Just because you use an alternative doesn’t mean that you are immune or safe from vulnerabilities in Adobe products

Animal Protection Agency scam

derek — Tue, 28 Sep 2010 08:49:19 +0000

Warning: Animal Protection Agency Website and email scam Sep 2010

If you have received an email proporting to be from the APA asking for your card details, please be warned this a scam. Please report it to the national police fraud unit on 0300 123 2040 or online at actionfraud.org.uk/report_fraud. Note that the website at animal-protection-agency.co.uk (currently offline on 28th September 2010) is a fake clone of the real website http://www.apa.org.uk
Now live is animal-protection-agency.com & has taken over this phishing scam
A currently spreading email reads

Dear pet owner,

The Animal Protection Agency (APA) proudly announce that we managed to raise a fund worthing GBP 1.000.000 and will be donated to 10.000 pet owners.

If you own a pet and you would like to receive this payment of GBP 100 please click the link bellow.

www.animal-protection-agency.co.uk

Sincerely,
Andrew Morrison
Senior Manager

FBI credit card scam spam

derek — Fri, 04 Dec 2009 15:51:36 +0000

The lengths that scammers will go to try to convince a possible victim is quite unbelievable
The following email dropped in my spam box

I really can’t believe anyone will think the FBI issue or verify credit cards/ATM cards & charge you $95 insurance fee for the privilege

Once again the advice is, if it doesn’t look right, then it isn’t right so delete these scam emails and don’t reply to them or phone the numbers given. All that will do is get you a big phone bill from dialling a premium rate international phone number

Microsoft Lottery Spam

derek — Wed, 18 Nov 2009 11:01:04 +0000

We seem to have a new batch of the Microsoft lottery spam emails again

These have a @live.com email address with what at first glance looks like it could be a proper microsoft or MSN email address ( they of course are not genuine Microsoft or associated with Microsoft in any way)

DO NOT fall for the scam & try to ring the 070240****** number . it is a premium rate number that will have along recorded message on it and cost you £0.50 per minute

You won’t get any money from these scammers but they will get money from you

I have blanked out the full email address and phone number from the image to save the unwary