We are monitoring new malicious attacks that look similar to the fake "Microsoft Outlook reconfigure" spam campaign messages we have been observing for the last couple of months. That malicious campaign was followed by attacks on social networking sites, transforming from malicious code attacks into URL-based phishing attacks. These new attacks have similar traits, such as the spoofed “From” headers, which aggressively target and baffle enterprise users, and a subject line that is intended to cause panic (for obvious reasons—have a look at the example image below).
As seen in the message above, the mail attachment is a zipped file named “utility.zip” that extracts an executable detected as Trojan.Dropper by Symantec antivirus. Using...
Symantec has always recommended that personal information, especially financial information such as Social Security numbers, credit card numbers, and of course your email address must not be revealed anywhere on the Internet. Many security experts also believe that disclosing an IP address to an unknown person on the Internet is equally dangerous. We also now need to be cautious of not divulging our mobile numbers or date of birth because these bytes of information are also vitally essential, and are considered part of your identity by financial institutions.
We are monitoring a new wave of phishing attacks that is attempting to extract information such as the mobile numbers and/or dates of birth of recipients by using false alerts:
A couple of the Subject lines of these alerts are:
Symantec recently reported a malicious spam campaign against Facebook, which is now accompanied by a phishing attack. These messages look like an official Facebook invite or password reset confirmation mail.
If we place the cursor over the update button in the message, we can actually see the phishing URL in the status bar. If a user clicks on the “Update” button, he or she is redirected to a Facebook look-alike phishing site. Here, users are asked to enter a password to complete the update procedure. Unfortunately, the user’s password will be stolen if they try to log in on this page.
These attacks can be identified by the subject lines listed below:
Facebook account update
New login system
Facebook Update tool
We have recently come across a different type of phishing attack that involves JavaScript being used to attempt to trick users into submitting sensitive banking-related information. This type of attack usually carries an HTML file attachment. The HTML file will locally open a look-alike bank submission form with the capability to pass critical user information to the phisher’s server.
Case 1
In the past, we monitored attacks with a similar type of file attachment, but they contained straightforward redirection code. There are different ways to redirect users to the desired location. One of the simpler HTML codes for redirection is shown below:
