Security Blog
Recently in Phishing Category
October 30, 2009
This Week in Phishing
I just received this email in my Yahoo mailbox:
What do you guys think? Should I email Mrs. Elizabeth and claim my 11 million?
I could really use the extra cash right now.
Posted by: Pete at 4:59 PM
Categories: General , Phishing , Spam
October 30, 2009
Threat Lab Q3 Report: Malware and Phishing Web Sites
Based on data collected in Q3 2009, we found that business related sites were most likely to host malware. Pornography and sexually explicit sites came in at number 2 this quarter. As a sign of the economic times, real estate, shopping, and travel sites also made the top 10.
As for sites manipulated by phishing, health & medicine related sites still top the list, followed closely by sex education and finance. The rest of the top 10 contained no surprises, however we do see a drop in social networking phishing sites. That may be due to more awareness on the existence of such sites being exploited for phishing.
Posted by: Netgear Threat Lab at 3:16 PM
Categories: Malware , Netgear Threat Lab , Phishing
October 30, 2009
Threat Lab Q3 Report: Pharma spam masquerading as Facebook message
Spammers are continually looking for ways to hide their true identity to bypass content filters, and ways to employ social engineering to bypass human filters (i.e., judgment) that can often distinguish if something is spam just by looking at it. The message pictured here was circulated in the third quarter.
This message, with its familiar blue header, was designed to fool people and spam filters that may not properly identify image-based spam, since all the actual content was in an image. The image itself is typically blocked by email clients like Microsoft Outlook, until the user downloads the image. However since the email appears to be legitimate, the user may download the image, revealing that it is actually pharmaceutical spam. The only content that text-based filters can identify in such a message is the traditional Facebook text, such as..."if you do not wish to receive this type of Facebook mail in the future" making it appear legitimate.
The message was not actually sent from Facebook - if it had been, the return address would have been Facebook, and not "Tammi Manley". Also, all the links within the message, such as "Unsubscribe" and "More info", lead to the pharmaceuticals site pictured in the advertisement.
Source: Commtouch Labs
Posted by: Netgear Threat Lab at 2:48 PM
Categories: Netgear Threat Lab , Phishing
September 16, 2009
A New Way of Phishing - Chat-in-the-Middle
The RSA FraudAction Research Lab has recently discovered a new type of phishing attack that targets online banking customers (e.g. me and you). While past phishing attacks simply look for the victim to enter in their online banking credentials, this one does not stop there.
After the victim is tricked into entering their login credientials (usually at this point, entering in their login credentials, the victims are redirected to the phishing Web site or to the real bank Web site.), the attacker goes one step further by initiating an online live chat session. During this live chat, the attacker attempts to extort even more information from the victim through social engineering (phone numbers, addresses...etc).
Attackers are always finding new and creative ways to obtain sensitive information. You can never be too sure. My best advice is: When in doubt, go to your local branch.
Posted by: Pete at 10:31 PM
Categories: General , Phishing
July 17, 2009
Michael Jackson Spam Rises From the Grave
Michael Jackson's unexpected passing has shocked the world and generated a new wave of "Michael Mania". Everywhere you go, people are talking about it. It's all over TV, radio, and the Internet. Even I have pulled out my old stash of Michael Jackson CDs and gave Thriller another good listen.
As we've mentioned before in this blog, hot news items such as this one are often exploited by spammers and other cyber criminals. Sadly, MJ is no exception. Riding on this wave of public interest, emails claiming Michael Jackson being murdered, having exclusive video footage, or emails with Michael Jackson's songs or pictures began to surface minutes after his death. These emails contain attachments and bad URLs that had malware. These were all used in attempt to infect user PCs and to extract information from them for criminal purposes.
Another method also used was fake Michael Jackson related blogs. Users would see many pop-up services when browsing to these fake blog sites pretending to talk about Michael Jackson. While the users are reading the fake blogs, malicious scripts would attack the reader's machine in the background.
As if Michael Jackson's death hasn't already been exploited enough by the media, cyber criminals also felt the need to jump in on the exploitation. So, fake emails, fake videos, fake pictures, fake URLs, fake blogs, fake nose (sorry), there are so many smoke and mirrors regarding this subject floating around that one really needs to be careful what they click on. Otherwise your machine might be the one that's paralyzed.
Posted by: Pete at 5:26 PM
Categories: General , Malware , Phishing , Spam , Worms
July 2, 2009
Threat Lab Report: Social Networking Twitter Spam on the Rise
The adoption of social networking has spread like wild fire the past few years. It has become a mainstay as one of the major activities people participate in when on the Internet. However, at the same time, its popularity has attracted the attention of malware authors and other cyber criminals. After using Facebook and MySpace as a means to spread malware, they have now turned their attention to Twitter. A new virus utilizing Twitter has caught our eyes.
This new Twitter does not use "tweets" to spread, but instead is another type of email spam based phishing attack. The bait this time - is the trust users have for official invitation emails from Twitter itself.
The user will receive an invitation email from invitations@twitter.com with the subject being "Your friend invited you to twitter!". The contents of this email are identical to real invitations from Twitter with one exception: the invitation URL in the email is fake and does not lead to the Twitter Web site. Instead, it's a link to a Invitation Card.zip file. This zip file contains the virus Trojan.Win32.Buzus.anee. This virus infects Explorer.exe and will at theinstruction of its creator, download more malware onto the infected desktop.
With more and more people utilizing social networks as part of their everyday lives, attacks that exploit these social networks only look to be more common. The next time you receive a tweet or a app invite on Facebook, look twice before you click.
Posted by: Netgear Threat Lab at 2:19 PM
Categories: Malware , Netgear Threat Lab , Phishing , Spam , Viruses
May 6, 2009
Swine Flu: Coming to a PC Near You
By now, you've all probably heard or read about the recent swine flu outbreak. Everyone here is on code orange swine flu alert. People are taking safety precautions (the right thing to do) so that this thing doesn't do too much damage. Well, it turns out we are not the only ones affected by this virus. Believe it or not, your PC is also at risk. Read more about it here and here.
Swine flu related spam and phishing attacks have already begun surfacing on the Internet. Some of these emails contain eye catching subject lines such as "First US swine flu victims!" or "Madonna caught swine flu!". Others claim to sell pharmaceuticals that cure or prevent swine flu and contain links to fake online drug sites. None of this should be any surprise as hot news items are almost always exploited by spammers see Richardson, Natasha.
Expect only more of these spam and phishing attacks exploiting swine flu in the coming weeks.
Posted by: Pete at 3:18 PM
Categories: General , Phishing , Spam
April 30, 2009
Threat Lab Report: Malware and Phishing Web Sites
Based on data collected in Q1 2009, we found that pornographic and sexually explicit sites were most likely to host malware. Also, as expected, Streaming Media and Downloads sites are high up at number 3. This is no surprise as such sites have traditionally been near the top of the list. Unexpectedly however, job search sites were amongst the top ten.
As for sites manipulated by phishing, health & medicine related sites top the list, followed closely by Webmail. Social networking sites such as Facebook and Twitter are also becoming more frequently exploited by cyber criminals as a medium to spread malicious code.
Posted by: Netgear Threat Lab at 10:22 AM
Categories: Malware , Netgear Threat Lab , Phishing , Spyware , Viruses
April 27, 2009
Threat Lab Report: A New Kido Variant
April 1st has come and gone, however the activities of the Kido (Conficker) worm have not stopped because of it. Recently, a mutated variant of Kido with new functionality has caught our attention. This new variant is detected as Trojan-Downloader.Win32.Kido, and compared to past variants the main difference is that it uses Peer to Peer (P2P) protocols for communication instead of HTTP which was used by previous variants of this worm. This means that this new variant of Kido utilizes P2P channels to download new malicious code or for botnet control.
Once a user PC is infected by this new variant of Kido, it will automatically download fake anti-malware software by the name of "spyware protect 2009" (detected as FraudTool.Win32.SpywareProtect2009). Once installed, this anti-malware program attempts to scare the user by notifying the user that a "virus" had been detected on their PC and requests the user to pay $49.95 to remove this so called "virus".
At the same time, an email worm by the name of Email-Worm.Win32.Iksmas will also be downloaded. This worm steals user data and sends out spam using the infected host. One more interesting point about this new Kido variant is the author configured a self termination date of May 3rd (date-limited functionality until 3rd May 2009). Why? We are still trying to find out. Perhaps the next Kido update will provide us with more clues.
Posted by: Netgear Threat Lab at 12:09 PM
Categories: Malware , Netgear Threat Lab , Phishing , Spam , Viruses , Worms
February 13, 2009
Why Your Data is Never Safe (Or, what a totaled car teaches us about Internet Fraud!)
I was in a car accident a couple of weeks ago. Something I never thought I'd get into. I consider myself a good driver, always (most of the time anyways) following rules and traffic signs, alert, aware of my surroundings, what other cars around me are doing. However, I was still rear ended on the freeway, while I was at a complete stop. Apparently, the driver who hit me was not paying attention to the traffic in front of him, so he hit me and pushed my car into two other cars. The damage: my lovely car was totaled. Luckily, I managed to walk away from that with only a few aches and pains. The moral of the story? No matter how careful you are, you can't control how others around you drive. All you can do is drive the safest car you can afford and drive it safely.
So what does this have to do with your data? I came across THIS article a few weeks back and let out a long sigh of helplessness. One little keylogger and millions of credit card numbers are potentially compromised. So you've installed security software on your PC. You have a VPN firewall. You have a gateway security solution. You've deployed URL filtering, anti-spam, IPS, applied security patches...the works. You've taken all the steps necessary to secure your network. And yet your credit card numbers still end up in the wrong hands. No matter how careful you are, you have no control over where your data goes after it leaves your network. You have no idea what payment processing firms and other organizations handling our sensitive data have in place for network security. In the end, all you can do is deploy the best security you can afford and hope that others follow suit. Sound familiar?
Posted by: Pete at 12:33 AM
Categories: Malware , Phishing , Spyware
