Security Response

Symantec has recently observed a trend of phishing sites attacking brands that feature online classifieds. The legitimate classifieds brands help customers seek and exchange information on various categories such as employment, real estate, automotive, matrimonial, and so on. These brands are typically free of cost and only require users to open a free account and do not include any form of monetary transaction. So, why are fraudsters attacking the brand when there is no financial transaction taking place?

Well, after stealing the user’s login information, the attacker then looks at the list of the user’s postings. Upon studying the categories of advertisements the user has been through, the attacker can send targeted phishing emails. This is all possible because the stolen login information consists of both the user’s email ID and password, rather than just a unique user ID.

The phishing emails are sent with several subjects; for example, the...

Symantec previously reported a phishing attack on the Indian Income Tax Department. Phishing emails boasting of tax refunds were sent to users in an attempt to entice citizens to enter their credentials on a bogus website. Recently, new attacks have been observed in which the phishing website states that taxes can be paid online. As the fiscal year in India draws to an end, more people are rushing to pay taxes before the deadline.

There are two types of tax payments in India; namely, TDS (Tax Deducted at Source) and TCS (Tax Collected at Source). Customers can pay their taxes using the e-payment facility that requires sensitive information, such as personal information and bank or credit card details. Below is a screenshot of the phishing page:

...

Following our blog, Zero-Day Attack on IE6 – JS.Sykipot Doesn’t Spare Retired Software, covering the recent IE Zero-day, we thought it might be interesting to look at an attack in the wild using this vulnerability and the resulting payload.

In what is thought to be a targeted attack, the targets were duped into visiting the site Topix21century.com, which was recently registered on March 6, 2010. Once the site is visited and the target is exploited using JS.Sykipot, they find themselves with Backdoor.Sykipot installed on their system....

Internet Explorer 6 may have taken its path to retirement but it still remains a good target for exploits, as we can see from JS.Sykipot. This zero-day was found on March 8th and it exploits a vulnerability in some Internet Explorer versions (CVE-2010-0806 , BID 38615) that can lead to remote code execution. Upon successful exploitation, JS.Sykipot will download and run Backdoor.Sykipot, which is a back door capable of communicating with its control server to receive and run several commands.

In my tests, the exploit worked successfully on IE6...

We recently received a file (from CERT) for analysis. We found that the file was a Trojan that opens a back door on a compromised computer and listens for commands on port 7777. This by itself is not very unusual, but what surprised us was that this file was being distributed by Energizer Inc as part of a USB charger-monitoring software package.

When we checked the manufacturer’s website, the file was still available as part of the USB charger software package. As part of the installation process for the USB charger software, the file “Arucer.dll” is created and added to the registry run key. We discovered that this file is the Trojan and added detection for it as Trojan.Arugizer. Since the file is added to the run key, the Trojan starts every time the computer starts. The Trojan listens for commands from anyone who connects and can perform various actions...

“Big Brother Brazil” is a Brazilian reality TV program adapted from the popular Big Brother television series. The show is about a group of people living together in a purpose-built Big Brother house, isolated from the outside world, while being monitored by cameras 24x7. The television series is viewed by scores of people during primetime hours, but live feeds are also available from multiple cameras in the house on the Web. Part of the popularity is due to the fact that some of the videos are suitable only for adult viewing.

Symantec has observed phishing attacks—against social networking websites—claiming to have Web applications that will provide live feeds of the show that are available for viewing. Users are asked to enter their credentials and add the application in order to watch the show live. The sheer amount of interest in the show will lure some people into entering their credentials. The Big Brother Brazil social networking application...