Video Screencast Help
Search Video Help Close Back
to help

Security Response

Showing posts in English
Phishers’ New Fake Social Media Apps
Mathew Maniyara | 23 May 2013 06:03:47 GMT | 0 comments

Phishers are trying everything they can to improve their chances of harvesting user credentials. They are known for experimenting with different fake social media applications in a desperate move to lure users. Recently, we found a few examples of some new fake apps.

In the first example, the phishing site used an image of a girl along with the Facebook Like button. After clicking the button, users are prompted for their Facebook login credentials in order to “like” the photo. After the credentials are entered, the phishing site acknowledges the login and asks users to click another Like button. The button is placed beside a fake number indicating the number of likes already gained. The phishing site was hosted on servers based in Amsterdam, Netherlands.

Phishers_fake_FB_image1.png

Figure 1. Facebook Like button...

Read more
Spammers Targeting Oklahoma Tornado Victims
Anand Muralidharan | 23 May 2013 04:11:25 GMT | 0 comments

Natural disasters, like tornadoes and earthquakes, are quite common in the United States of America. Unfortunately, the Oklahoma City suburb of Moore experienced a violent tornado on Monday, May 20, that sadly resulted in dozens of casualties. Spammers take advantage of natural disasters with luring scams and Symantec Security Response has started to observe spam messages related to this tornado flowing into the Symantec Probe Networks. The top word combinations used in message headlines include:

  • Tornado – hits – Oklahoma
  • Massive – Tornado
  • Huge – Tornado
  • Tornado – survivors

Spammers Targetting 1.jpeg

Figure 1: Oklahoma City tornado spam campaign
 

These headers have been observed in the spam attack:

...
Read more
Why Email is a Key to Your Castle
Candid Wueest | 21 May 2013 20:22:58 GMT | 0 comments

Having control over an email account can be a lot of power, even though most people would probably say they do not care if someone else is reading their private emails. But it’s not always about reading those private emails. Of course there have been quite a few attacks where secrets were revealed by snooping through emails of hacked accounts. The reasons vary from jealous spouses searching for proof of an assumed affair or as serious as corporate espionage in which certain parties are seeking essential information about a critical deal. Other attackers may use the compromised account to send social engineering messages to all contacts stored in the email account posing as the person whose account has been hacked.

Nowadays an email account is much more than just sending and receiving emails. Many free service providers like Microsoft or Google have various additional services attached to email accounts. Having access to these accounts means having access to such things...

Read more
Spammers Make Memorial Day Memorable
Anand Muralidharan | 20 May 2013 19:02:16 GMT | 0 comments

Memorial Day is celebrated on May 27 and it is a day for memorializing the men and women who have died in military service for the United States. It is a common practice for cybercriminals to take advantage of events and holidays. This year, various spam messages related to Memorial Day have begun flowing into the Symantec Probe Network. We have observed that most of the spam samples encourage users to take advantage of clearance sales on cars and trucks. Clicking the URL will automatically redirect the user to a website containing some bogus offer.
 

Spammers Memorial 1 edit.png

Figure 1: Memorial Day financial spam
 

A variety of subject lines have been observed related to the clearance sale spam attacks for Memorial Day:

  • Subject: Memorial Day Auto...
Read more
Operation Hangover: Q&A on Attacks
Symantec Security Response | 20 May 2013 16:57:37 GMT | 0 comments

Today Norman and the Shadowserver Foundation released a joint detailed report dubbed Operation Hangover, which relates to a recently released ESET blog about a targeted cyber/espionage attack that appears to be originating from India. Symantec released a brief blog around this incident last week and this Q&A will provide additional information relevant to Symantec around this group.

Q: Do Symantec and Norton products protect against threats used by this group?
Yes. Symantec confirms protection for attacks associated with Operation Hangover through our antivirus and IPS signatures, as well as STAR malware protection technologies...

Read more
Symantec Protection for Trojan.FakeSafe
Symantec Security Response | 17 May 2013 16:52:49 GMT | 0 comments

Today, Trend Micro published a report about a targeted attack campaign they’re calling SafeNet (the campaign’s name is unrelated to the security company of the same name). The group behind this campaign is utilizing spear phishing emails with malicious attachments. These attachments are document files that exploit vulnerabilities in Microsoft Word. Some of the documents we’ve observed exploit the Microsoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability (CVE-2012-0158).

If exploitation is successful, the malicious documents drop the following files:

  • smcs.exe
  • SafeExt.dll
  • SafeExt.org
  • SafeCredential.DAT

SafeExt.dll contains most of the threat’s functionality while SafeCredential.DAT...

Read more
Symantec Protection for Targeted Attacks in South Asia
Symantec Security Response | 17 May 2013 16:48:35 GMT | 0 comments

ESET recently blogged about a targeted cyber/espionage attack that appears to be originating from India. Multiple security vendors have been tracking this campaign. The attack appears to be no more than four years old and very broad in scope. Based on our telemetry (Figure 1), it appears that attackers are focusing on targets located in Pakistan, specifically government agencies.

Targeted_Attacks_South_Asia_image.png

Figure. Telemetry data focused on South Asia

The identified infection vector of this campaign is spear phishing emails with malicious files attached. We’ve observed malicious documents exploiting the Microsoft Windows Common Controls ActiveX Control Remote Code...

Read more
Spam Campaigns Take to Tumblr
Ben Nahorney | 16 May 2013 13:15:01 GMT | 0 comments

As the urban legend goes, the bank robber Willie Sutton was asked why he robbed banks. “Because that’s where the money is,” he is attributed as saying. While Sutton has long since distanced himself from the statement, the concept resonates with many people, to the extent that it’s been used to describe principles in accounting and even medicine.  

This principle also holds true in the world of Internet security. In the latest version of the Internet Security Threat Report we discussed the major trends in the spam world, where the percent of spam email continues to decline while more and more social networks are being targeted. Given the growth of social networking in recent years as a means to communicate, this...

Read more
Japanese One-Click Fraud on Google Play Leads to Data Stealing App
Joji Hamada | 16 May 2013 10:07:30 GMT | 0 comments

Since the beginning of the year, a Japanese one-click fraud campaign has continued to wreak havoc on Google Play. The scammers have published approximately 700 apps in total since the end of January. The apps are published on a daily basis and the scammers have invested around US$4,000 in order to pay the US$25 developer fee to publish apps on Google Play.

fig1.png

Figure 1. Total number of developers and apps developed

Dealing with the fraudulent apps has really become a game of cat and mouse. Once the apps are removed from Google Play, the scammers simply publish more under new developer accounts. These are again removed shortly afterwards, but the scammers simply continue to publish more. Most of the apps are removed on the date of publication,...

Read more
Phishers Offer Rita Ora’s Video
Mathew Maniyara | 16 May 2013 02:10:31 GMT | 0 comments

Contributor: Avdhoot Patil

Celebrity scandals are always popular and phishers are keen on incorporating them into their phishing sites. Recently, we observed a phishing site featuring British singer and actress Rita Ora. The phishing site was hosted on a free Web hosting site.

rita_ora_phishing.png

 

The phishing site prompted for Facebook login credentials that called the video a “social plugin”. The phishing page contained an image of a fake YouTube video of Rita in the background. The title of the video in question described it as an adult video of Rita Ora. A recent event involving an accidental exposure of Rita instigated phishers into devising this bait. The phishing site gave the impression that users could view the video shown in the background when login credentials are entered. In reality, after login credentials are entered,...

Read more