Video Screencast Help
Security Response
Showing posts tagged with Symantec Protection Suites (SPS)
Showing posts in English
Anand Muralidharan | 10 May 2013 07:40:10 GMT

The 58th season of the UEFA Champions League is coming to an end with the final being played on May 25 at Wembley Stadium in London. Nowadays, cybercriminals are gaining a lot of interest in football, at least inasmuch as how to exploit interest in football to their advantage, and Symantec has recently blogged about cybercriminals continuing to show interest in football.

Spammers are exploiting the latest sporting event by sending spam of fake ticket offers through email. Below is an Italian spam campaign we have observed targeting the UEFA Champions League with a fake ticket offer promotion.

Champions league one.png

The spam can be identified by the following headers:

Subject: Scopri come puoi vincere i biglietti per la Finale UEFA Champions League...

Samir_Patil | 08 May 2013 18:10:51 GMT

Contributor: Binny Kuriakose

People dream big when buying expensive items like a car or a property. When those dreams are seen with very affordable price tags it certainly attracts everybody’s interest. There are lots of websites available that allow people to post free classified advertisements online and one of the biggest categories is that of used cars. This is the new breeding ground for the old escrow tricksters.

This blog will discuss an interesting case of how a free classified advertisement and an escrow service turned out to be an online scam.
 

What are escrow services?

Escrow services are essentially mediators in trade that ensure all terms, agreed by both parties, are met. Escrow companies take the payment from the buyer and ‘hold it’ until the seller delivers the goods to the buyer and all the terms of sale are met. If you are buying an item from an unknown party without meeting face-...

Anand Muralidharan | 06 May 2013 08:43:36 GMT

Mother’s Day is celebrated in many countries on May 12 and it’s a day for children, regardless of age, to express their love to their mother by giving her a gift. Spam messages related to Mother’s Day have begun flowing into the Symantec Probe Network. Clicking the URL contained in the spam message automatically redirects the recipient to a website containing a bogus Mother’s Day offer upon completion of a fake survey.

mothers 1.png

Figure 1: Survey spam targeting Mother’s Day

Once the survey is completed, a page is then displayed asking the user to enter their personal information in order to receive the bogus offer.

mothers 2.png

Figure 2...

Eric Park | 03 May 2013 20:14:54 GMT

Last week, Symantec posted a blog on an increase in spam messages with .pw URLs. Since then, spam messages with .pw URLs have begun showing up even more.
 

pw TLD blog update.png

Figure 1. .pw TLD spam message increase
 

Symantec conducted some analysis into where these attacks are coming from in terms of IP spaces. As expected, Symantec observed a large quantity of mail being sent from an IP range and then moving to another IP range. While this is an expected behavior, there was an interesting twist. There were multiple companies (with different names) hosting .pw spammers using the same physical address in Nevada. 

Examining messages found in the Global Intelligence Network, Symantec...

Sammy Chu | 01 May 2013 23:12:31 GMT

For that past several days, Symantec has observed an increase in spam messages containing hexadecimal obfuscated URLs. Hexadecimal character codes are simply the hexadecimal number to letter representation for the ASCII character set. To a computer, hexadecimal is just one out of the many systems for address expressions on the Internet.

The following samples are different hexadecimal representations for http://www.symantec.com.

Hexadecimal only:

http://www.

symantec.co&#x006d

Hexadecimal and ASCII characters:   

(“http” and “com” are in ASCII characters and the...

Ashish Diwakar | 26 Apr 2013 21:25:07 GMT

Contributor: Avhdoot Patil

Phishers have recently gained a lot of interest in football. Various phishing attacks using football were observed in 2012. Phishers have already shown their interest in the 2014 FIFA World Cup, football celebrities, and football clubs. Scam for LIONEL MESSI Fans and Scam for FC Barcelona are good examples of phishers using football celebrities and football clubs. Fraudsters understand that choosing celebrities with a huge fan base offers the largest amount of targets which could increase their chances of harvesting user credentials. In April 2013, the trend continued with phishers using the same strategy. The phishing sites were in French on a free web hosting site.

The phishing sites prompted users to enter their Facebook login credentials on pages designed to...

Eric Park | 26 Apr 2013 17:57:25 GMT

Symantec has observed an increase in spam messages containing .pw top-level domain (TLD) URLs.  While it was originally a country code top-level domain for Palau, it is now available to the general public through Directi, who branded it as “Professional Web”.
 

pw tld blog 1.png

Figure 1. .pw TLD URL spam message increase
 

Looking back at the last 90 days, .pw ranked #16 on our TLD distribution list:
 

pw tld blog 2_0.png

Figure 2. TLD distribution list - last 90 days
 

However, the .pw URL jumps to the fourth spot when looking at the last 7 days:
...

Mathew Maniyara | 24 Apr 2013 18:22:36 GMT

Contributor: Avdhoot Patil

Phishers are not letting go of the chaos in Syria. They are using a common phishing template and modifying the messages. In March, phishers mimicked the same website of an organization in the Arab Gulf States observed in a previous phishing site. But instead of promoting the Syrian opposition, phishers impersonated the UN in a scheme meant to show support for the people of Syria. The phishing pages were in Arabic and the phishing site was hosted on servers based in Dallas, Texas, in the United States.

Just recently, phishers have tried to entice users by condemning the Syrian regime. Now, they are citing the Syrian President, Bashar al-Assad, in particular. The phishing site we observed contained a message in Arabic that asked users if they agreed with condemnation of the Syrian President as a war criminal. The message gave options...

Ashish Diwakar | 22 Apr 2013 18:18:15 GMT

Contributor: Avdhoot Patil

Promotion for Telugu movies has gained momentum in the world of phishing as they continue to be targeted with phishing scams. The phishing site featuring the movie “Brindavanam” is one example. In a more recent case, phishers used a captivating song from the Telugu movie, “Saitan” as bait.
 

Telugu Movies 1 edit.jpg
 

The phishing site displayed a picture from a captivating musical number from the movie “Saitan” starring Telugu actress, Santosh Samrat, and Sri Lankan film and teledrama actress, Akarsha, on the left side of the phishing page. The picture from the musical number was taken from the legitimate movie website. The phishing...

Mathew Maniyara | 18 Apr 2013 15:03:02 GMT

Contributor: Avdhoot Patil

Phishers have already shown interest in the violence that erupted recently in various parts of the Arab world. The phishing attack involving Syria is a good example. Phishers are now taking advantage of the political unrest in Egypt as protests in the country continue. In March 2013, phishers promoted former Egyptian Prime Minister Ahmed Shafik in a phishing site. The phishing site was hosted on servers based in North Carolina, USA. The name “Ahmed Shafik” was used in the domain name of the phishing site.

blurred_website_600px.png

Figure 1. Phishing site designed as a fake official website of Ahmed Shafik

The phishing site was designed to look like an official page of the politician. It...