When we analyzed spam data from the past few years, we observed that holiday seasons spirit up malware spam campaigns using e-cards, video player downloads or ActiveX download attacks. We have found that greeting card or e-card spam are the most common. Due to this reason spammers are employing this technique in other spam campaigns.
When analyzing spam messages from the Symantec Probe Network, we came across an interesting phishing attack where spammers are misrepresenting e-card services.
In this unique phishing attack, a URL for the animated e-card is provided in the message. When the user clicks on this link, an animated video is played in a flash player. Surprisingly, the personal message section is invaded by a typical phishing message.
The greeting card message is shown in the image below:
Scammers based in Nigeria have long been known for using legitimate email formats for spreading infamously fraudulent 419 messages. We have already monitored e-card services, social networking invites, and various other services provided on social networking sites. Yet another example is a calendar service being abused for sending scam messages.
Sadly there is an addition to this list, where the “send link to friend” service is exploited for sending scam messages. Many news websites provide an option to send news links to another person. A text area is also provided to write personalized messages. It is a general tendency of netizens to share important news with friends by forwarding the links along with their comments on the news. In a recent spam attack we monitored a typical 419 scam message injected into the text area of a news article. With this, scammers smartly introduce a scam message in an otherwise very legitimate looking mail.
October 2009 saw spam volumes averaging at 87 percent of all email messages, which is consistent with spam volumes observed in August and September 2009, but 10.6% higher than October 2008.
A notable highlight this month is the growth of spam originating from APJ (23% increase of 6% since June 2009) and South America (22% increase of 5% since June 2009) with a corresponding decline in spam originating from EMEA (28% decrease of 6% since June 2009) and North America (20% decrease of 5% since June 2009). This change can be attributed to a number of factors, including spam levels increasing; distribution networks becoming more dynamic as additional broadband connected targets are coming online every day; botnets continuing to jockey for position; and countries such as India, Taiwan, Thailand, and Chile becoming more visible as regions of origin for spam.
With respect to spam categories, Internet spam increased by 7% and now accounts for 39% of all spam messages. This...
The Fragus exploit pack showed up on our radar a few months ago and has been steadily growing to become one of the most prevalent exploit packs being seen in the wild today by Symantec. It is similar to other popular exploit packs available—such as Unique, YES, Eleonore, and Liberty—but it brings some new and interesting features with it. Exploit packages are generally designed as a means to allow attackers to group and serve exploits from their website against the browsers of unsuspecting visitors. It is done in a nice GUI form, hosted on a Web server, and allows the attacker to generally choose which exploits to run. Once exploited, a final payload is served to the system. All of this is dished up in a control panel with some nice statistics on how successful the campaign has been.
Recently, I've been seeing phishing attacks using Web forms attached to emails making the rounds again. This type of phishing isn't so common but is used on occasion, so I want to take this opportunity to remind everyone not to fall for this trick.
Common phishing attacks include emails purporting to be from legitimate entities like financial instituions, auction sites, and SNS sites which include links to Web sites set up by the attacker to steal user information.
In this case, however, the phishing site arrives as an email attachment rather than a link to the site included in the body of the email.
Threats targeting the Macintosh platform are much less common than those targeting Windows. The same can be said about video games, where Windows is the dominate platform of the two. Combining games and malware has happened before, but a Mac game performing malicious activities? That’s something relatively new.
Takashi Katsuki, one of our Tokyo engineers, came across just that today. The game looks to be a throw-back to the classic Space Invaders/Galaga style of games from the early 1980s. However, what brings this game into the realm of malicious code is that for every alien ship you destroy, the game deletes a file from your home directory.
Symantec has always recommended that personal information, especially financial information such as Social Security numbers, credit card numbers, and of course your email address must not be revealed anywhere on the Internet. Many security experts also believe that disclosing an IP address to an unknown person on the Internet is equally dangerous. We also now need to be cautious of not divulging our mobile numbers or date of birth because these bytes of information are also vitally essential, and are considered part of your identity by financial institutions.
We are monitoring a new wave of phishing attacks that is attempting to extract information such as the mobile numbers and/or dates of birth of recipients by using false alerts:
A couple of the Subject lines of these alerts are:
Symantec recently reported a malicious spam campaign against Facebook, which is now accompanied by a phishing attack. These messages look like an official Facebook invite or password reset confirmation mail.
If we place the cursor over the update button in the message, we can actually see the phishing URL in the status bar. If a user clicks on the “Update” button, he or she is redirected to a Facebook look-alike phishing site. Here, users are asked to enter a password to complete the update procedure. Unfortunately, the user’s password will be stolen if they try to log in on this page.
These attacks can be identified by the subject lines listed below:
Facebook account update
New login system
Facebook Update tool
Sure we have heard a lot about bots and botnets. One key component of a botnet is the command-and-control (C&C) server, which as we know can come in several flavours (IRC, Web pages, newsgroups, custom servers, etc.). Yet, here comes Trojan.Whitewell, which, being tired of old C&C channels, decides to pick up Facebook as a coordinator for the C&C server. I use the word “coordinator” because the Trojan only receives some configuration data from its Facebook account—the actual command execution and data reporting is done through a third party Web server.
The Trojan was sent through a popular malware distribution channel that is also related to other prevalent threats such as Trojan.Bredolab. The distribution technique is pretty simple: they send documents (PDF, or MS Office formats) containing exploits for known vulnerabilities. These documents usually...
Symantec Security Response has become aware of a Trojan Horse we detect as Trojan.Ramvicrype. The Trojan uses the RC4 algorithm to encrypt files on compromised computers, rendering them unusable. Presence of files with a .vicrypt extension is a sure-fire sign of infection.
Trojan.Ramvicrype is a little different from most other Ransomware programs we’ve seen in the past. Typically these kinds of threats display a message prompting users to visit a certain Web page or email a specific address. Users will end up paying the online criminals in exchange for keys that can be used to unlock the computer or decrypt the encrypted files.
Previously posted blogs on the subject of Ransomware can be found at:
While looking through some recent customer submissions a particular filename caught my attention. It was called “googlewaveinvitegenerator.exe”. Google Wave is a new communication application being developed by Google. Many people who missed the initial sign up for this application are now seeking invites to the service. Certain bad guys have latched onto this and are attempting to take advantage of the situation to push malware. In this case the malware in question is Backdoor.Tidserv. It’s also worth pointing out Google Wave was only selected because of its current popularity. Using a trusted brand like this also increases the chance of success for the attacker. This technique is something we see all of the time.
This particular campaign tries to trick people who want to get into the Google Wave community by promising not only an application that generates Google Wave invites, but also untold riches by selling these invites to other people who want to...
A Blackberry application called PhoneSnoop was released recently, which resulted in an advisory from US-CERT. The application allows remote users to listen in on a Blackberry user’s surroundings.
The application as seen when installed on a Blackberry
The application is actually quite straightforward and uses standard Blackberry APIs that allow the interception of incoming phone calls. When a call is received from a preconfigured phone number, the call is automatically answered and the speakerphone is engaged. Someone who has had this application installed may not notice the incoming phone call and not realize someone can now listen in on the immediate surroundings.
We’d consider this application just a proof of concept for a variety of reasons, including the author himself...
Instant degree spam attacks have become one of the most regular attacks monitored in recent months. In an earlier blog post we listed the top five degrees offered by spammers. The messages guided users to online degree sites where recipients needed to actually earn their degree. On the other hand, with instant degrees there is no effort required—just call the number provided in the message and you can obtain a degree certificate in no time. These plain text messages arrived with a variety of subjects, which are listed below this sample message:
We have listed subject lines in descending order of number of appearances:
Get Your Bachelor's Degree Online
Earn a Bachelor's or Master's Degree Online
Enhance Your Career Tomorrow
Earn a Bachelor's or Master...
Chinese spammers are very adaptive to new Internet social mediums that might attract recipients’ interests in order to get Web hits. Spammers have done their research on popular social networking activities and living habits, thus setting up spam traps for possible hits. Recipients often fall for the spammers’ tricks because they may not be aware of updated spam news or phishing alerts.
Recently we observed Chinese spammers sending out moneymaking scams using a popular free micro blogging service. This type of free social networking allows users to send live updates through short text messages or links. In this sample we found that a spammer registered a legitimate user account and then sent out a friend invitation request. All links lead to the same money making promo ads:
Sample 1:
From: Popular social networking <Details removed>
Subject: 兼職工作,全職收入-每月增加2到 5萬 邀請您到 <Details removed> 註冊帳號
