SMS phishing (“SMSishing”) occurs when you receive an SMS message that is purportedly sent from a reputable source, such as your bank, asking for personal details. Although SMSishing first started a few years ago, a couple of recent SMSishing attempts directed at some colleagues of mine provided a good opportunity to document the attack.
The attacks start when attackers use automated services that allow sending many SMS messages at once and send messages such as the following:
FRM:3106******@*********.com
MSG:H*****FCU Notice: Please contact us immediately at 6366******
Or:
FRM:F**
SUBJ:Alert
MSG:F****** Alert. Unusual activity - Call now at 1-(888)3**-****
In the above two cases, the bank names and phone numbers are censored, but the messages typically follow the same pattern of specifying a bank and that there is some type of urgent need for you to contact them. When you call the number you...
One of the principles behind malware is that it follows technologyand mainstream culture. If ninety percent of the world was using theEricOS, the vast majority of threats would be designed to run on theEricOS because otherwise the threat would have nothing to infect.
In China, online computer usage patterns affect the types of malwareSymantec sees there. In particular, if you walk into an Internet cafein China, rarely do you see people using search engines like Google oron Web sites like MySpace. Instead, the vast majority of people haveheadphones on and are playing online games such as Lineage or World ofWarcraft.
Thus, Symantec sees a lot of Infostealers that attempt to stealcredentials for these types of online games. Once credentials arestolen, the hacker logs into the account, steals the virtual items, andthen attempts to sell them for real money through various boardsoutside the virtual gaming world.
An example of this threat is Lingling (Lingling means...
Symantec has recently received a phishing email that makes use of an interesting technique of hiding a phishing site URL. When receiving a suspected phishing message, one of the methods of determining if the embedded URLs are legitimate or not is to simply pass your cursor over the underlined hyperlink and then check the URL in the status bar of your browser. In the status bar, you can see if the link belongs to the appropriate domain or not.
Using Javascript, one can alter the text in the status bar. So, when browsing on the Web in general, this isn't always a reliable technique to verify the underlying URL. However, when receiving an HTML email in an email client (including Webmail), Javascript is generally neutered so it does not execute, preventing the obfuscation of the status bar via Javascript, making this technique more reliable. However, this phishing message we recently received is able to modify what is displayed in the status bar...
I recently received an email supposedly from the Anti-Scam Department of the British Secret Intelligence Service. They sent me an email because apparently my "email address signaled to our computer database today, with strong indication that you currently MIGHT be in a business transaction where you are a SCAM VICTIM unknowingly." Oh no!
In particular, they asked if I was: • in a business transaction case that would claim millions of dollars • told by a lottery company that I have successfully won millions • told I had overdue contract funds • promised to receive large sums of money in excess of millions of dollars • promised to be awarded a contract worth millions or billions of dollars
If so, "there is a 99.99% chance that you are currently a victim of fraud/scam, run by notorious criminals known as con artists, with the sole aim of scamming and ripping you off your very hard earned funds!!" More...
The recent Yahoo! Mail worm, JS.Yamanner@m , is symptomatic of our increased usage and reliance on Web applications. This past weekend we saw a similar attack, but this time it was on the MySpace social networking site. Web applications are just as vulnerable to certain exploits, and even more so in some cases. In particular, services that allow people to author and post content under the service domain must always neuter any active content such as Javascript. MySpace fails to do so, allowing an attacker to automatically hijack any user's MySpace page as soon as they visit an infected MySpace page.
The attack works by using an embedded Shockwave Flash file. The MySpace site allows members to post embedded content, such as movies and Shockwave Flash files, via an HTML “embed” tag. Shockwave Flash files can contain scripting that is simply a variant of JavaScript (...
The Symantec Security Response team has received multiple reports of the hijacking of Yahoo! instant messaging accounts over this past weekend. The hijacking seems to be successful because some users are unwittingly providing their Yahoo! login credentials to a phishing Web page. There are several phishing Web pages involved in the attacks, some of which are listed here: www.geocities.com/cindy7781115 www.geocities.com/madhatterchick15 www.geocities.com/julianna2504j15
Please use caution when receiving instant messages with links included in the text, especially any links that require you to login to another Web site. This phishing attack will attempt to use valid and current (compromised) Yahoo! accounts so that messages sent will appear to come from trusted contacts, so you'll need to keep a keen eye out for strange messages. For a detailed explanation on how this attack is carried out, please refer to my previous blog entry that describes...
Being in this business, we are often called upon to help clean up the computers of families and friends. In the past I have had many friends who thought they had a virus, but usually it was just some other system anomaly. Times have changed though, and now I tend to see a lot of adware and spyware as well as infections from worms and IRC bots. Usually it is just a matter of running a few tools, deleting a few registry keys and files and everything is better.
So, when a friend of mine recently sent me an odd instant message (IM) on Yahoo IM, I wasn’t that surprised. I immediately recognized it as suspicious, since my friend would have no reason to be using a free Brazilian homepage Web site, and I don’t think he had ever written a smiley face in the manner displayed on the IM. (See figure 1)
