Finally, some help with explaining Internet security to my non-geek friends! The Guide to Scary Internet Stuff video series will hopefully make my life a little easier. Explaining the intricacies of Internet security is a challenging task. I often have difficulty explaining to my non-technical friends and relatives why they need to know about risks on the Internet. On top of that, I sometimes discover that my advice has fallen on deaf ears as I inevitably fix their computers after a click on a spam or phishing link, or after they have not run Windows Update or updated their antivirus software in a while.
Although this is not the normal technical type of material that we post here on the Security Response blog, when Dominic Cook from our UK PR team showed me these, I immediately thought they were worth a post. The animations are fun, but most of all I think my friends will understand them, remember some of the advice,...
We have previously discussed Trojan.Bayrob without describing theentire attack from end to end. This article will show how the entirescam works from initial contact right through to the actual sale.Security experts at eBay are already well aware of it and working toprotect their customers.
Tip: It should be noted from the outset thatpotential buyers should read safety tips and follow preventativemeasures provided by their service provider.
To start with, take a look at this video for a walk-through of our analysis:
In order to attract potential victims the scammers first list carsfor sale on various auction sites. These auctions are not scams per se,but they are "legit" auctions that are used solely to attract potentialvictims—whoever asks a question or bids on these auctions becomes apotential victim. Once these auctions have expired the scammers get towork emailing each potential victim. These emails explain that thewinner of the...
Recent reports have shown thatTrojan.Bayrob is scamming people again. The latest victim lost over€5,000 to the scam but luckily was able to track down where the moneyhad been sent. Unfortunately the final destination for the money was aWestern Union outlet in Greece, after having been first sent through amoney mule in the US.
Once Trojan.Bayrob is executed on a user’s system it can interceptall traffic to eBay. It can then show the infected user any contentthat it chooses instead of the real pages and it can also alterinformation that is shown to the user from the real pages.Trojan.Bayrob is used to scam people who are trying to buy cars oneBay.
The attack is a targeted attack and as such it is difficult toestablish the exact methods that are used to distribute the Trojan;however, from evidence gathered thus far the attack works in a mannersimilar to the following: • The attacker posts an auction on eBay. • This auction is used to gain...
Brazil is the home of the infamous Infostealer.Bancos family ofmalware. Recently, however, we have seen a more diverse number of sites- beyond just banking sites - coming into the crosshairs of theBrazilian malware gangs. Is the recent W32.Imcontactspam worm anotherof their creations?
The worm is Brazilian and spammed the infected users’ MSN contactswith email advising them that they had received an electronic greetingcard. We see these types of worms quite often; however what caught ourattention were the similarities between the techniques this worm usesand the techniques used by the Infostealer.Bancos family of trojans.
When executed, the worm does the following:
Minimizes the real MSN Messenger login window;
Displays a fake Portuguese language MSN login screen;
Records the username and password that is typed;
Displays the real MSN Messenger login window (user must re-type password);
On March 5, we posted a blog about a new threat called Trojan.Bayrob that targets users of the eBay auction site and, more specifically, motor auctions. Following further research, we are able to shed some more light on the mechanics of Trojan.Bayrob. As stated previously, this attack is targeted at users who will be highly likely to buy a car on eBay, (e.g. second-hand car sales companies).
In this attack, victims are sent an email about a car that is being offered for sale. The email contains a legitimate slide show program that shows images of the car on offer; however, the email also contains the Trojan.Bayrob file. Below are two examples of what the slide show looks like. While the victim views the slide show, the...
We regularly see Brazilian Bancos samples that try to steal the credentials of Brazilian bank users. These are generally delivered via spam or drive-by downloads. However, recently a different form of threat was spotted that specifically targets Brazilian users.
W32.Selfish is a file infector that checks what your default language pack is and only proceeds to execute its payload if you are using the Brazilian Portuguese Language pack. If you are using a different language pack, W32.Selfish will simply execute the infected host file and exit.
When W32.Selfish is executed on a Brazilian machine, it tries to download a file from the internet and execute it. At the time of writing, this file is not accessible, so it is uncertain whether it will download a Brazilian bank password stealer. However, the emergence of this threat does show that Brazil is being specifically targeted by online criminals. Not only does this show that criminals are targeting Brazil, but it...
The commercialization of every aspect of online fraud has been a growing trend over the last few years. [1] This commercialization has now hit the drive-by download market. A new subscription service that automates drive-by downloads is now available and being touted in the underground.
This service provides a point-and-click solution for anyone who wants to set up drive-by downloads on their own Web site. Some features offered by the service include: browser and browser version detection, OS detection, Windows service pack detection, JVM version detection, and antivirus software detection.
These detection processes allow specific exploits to be leveraged in each case. The team behind the service also claims to have the ability to develop exploits based on vendor advisories, which presents the worrying scenario of zero-day exploits being available to their customers. This could lead to a similar situation that occured when WMF exploits were...
