Security Response Blog

Our security research centers around the world provide unparalleled analysis of and protection from malware, security risks, vulnerabilities, and spam.

Follow Us on Twitter
  • 0
    Created: Mathew Maniyara 16 May 2013 02:10:31 GMT

    Phishers Offer Rita Ora’s Video

    Contributor: Avdhoot Patil Celebrity scandals are always popular and phishers are keen on incorporating them into their phishing sites. Recently, we observed a phishing site featuring British singer and actress Rita Ora. The phishing site was hosted on a free Web hosting site.   The phishing site prompted for Facebook login credentials that called the video a “social plugin”. The phishing page contained an image of a fake YouTube video of Rita in the background. The title of the video in question described it as an adult video of Rita Ora. A recent event involving an accidental exposure of Rita instigated phishers into devising this bait. The phishing site gave the impression that users could view the video shown in the background when login credentials are entered. In reality, after login credentials are entered,...
  • 0
    Updated: Anand Muralidharan 15 May 2013 18:01:13 GMT

    Increase in Pump and Dump Stock Spam

    In the last few weeks we have observed a drastic increase in “penny stock” spam emails. In 2011 Symantec published a blog entitled Global Debt Crises News Drives Pump-and-Dump Stock Scams, which also dealt with this type of spam. Penny stocks, also known as cent stocks, are shares in small companies that trade at low prices, often as low as a few cents per share. Penny stocks are a very popular topic used by spammers. The spam emails advertise the cheap shares and state that the company is on the verge of becoming very successful and that the value of the shares will rise significantly. The emails make out that the company is more valuable than it actually is and implies that they have just created some major product or are on the verge of a breakthrough and that the share value is tipped to rise dramatically. The aim is to increase sales of the stock,...
  • 0
    Created: Anand Muralidharan 10 May 2013 07:40:10 GMT

    Fake Promotional Offers Targeting UEFA Champions League 2013

    The 58th season of the UEFA Champions League is coming to an end with the final being played on May 25 at Wembley Stadium in London. Nowadays, cybercriminals are gaining a lot of interest in football, at least inasmuch as how to exploit interest in football to their advantage, and Symantec has recently blogged about cybercriminals continuing to show interest in football. Spammers are exploiting the latest sporting event by sending spam of fake ticket offers through email. Below is an Italian spam campaign we have observed targeting the UEFA Champions League with a fake ticket offer promotion. The spam can be identified by the following headers: Subject: Scopri come puoi vincere i biglietti per la Finale UEFA Champions League...
  • 0
    Updated: Samir_Patil 09 May 2013 03:10:11 GMT

    Escrow Scams Searching New Avenues

    Contributor: Binny Kuriakose People dream big when buying expensive items like a car or a property. When those dreams are seen with very affordable price tags it certainly attracts everybody’s interest. There are lots of websites available that allow people to post free classified advertisements online and one of the biggest categories is that of used cars. This is the new breeding ground for the old escrow tricksters. This blog will discuss an interesting case of how a free classified advertisement and an escrow service turned out to be an online scam.   What are escrow services? Escrow services are essentially mediators in trade that ensure all terms, agreed by both parties, are met. Escrow companies take the payment from the buyer and ‘hold it’ until the seller delivers the goods to the buyer and all the terms of sale are met. If you are buying an item from an unknown party without meeting face-...
  • 0
    Created: Anand Muralidharan 06 May 2013 08:43:36 GMT

    Spammers Continue to Exploit Mother’s Day

    Mother’s Day is celebrated in many countries on May 12 and it’s a day for children, regardless of age, to express their love to their mother by giving her a gift. Spam messages related to Mother’s Day have begun flowing into the Symantec Probe Network. Clicking the URL contained in the spam message automatically redirects the recipient to a website containing a bogus Mother’s Day offer upon completion of a fake survey. Figure 1: Survey spam targeting Mother’s Day Once the survey is completed, a page is then displayed asking the user to enter their personal information in order to receive the bogus offer. Figure 2...
  • 0
    Created: Eric Park 03 May 2013 20:14:54 GMT

    .pw URLs in Spam Keep Showing Up

    Last week, Symantec posted a blog on an increase in spam messages with .pw URLs. Since then, spam messages with .pw URLs have begun showing up even more.   Figure 1. .pw TLD spam message increase   Symantec conducted some analysis into where these attacks are coming from in terms of IP spaces. As expected, Symantec observed a large quantity of mail being sent from an IP range and then moving to another IP range. While this is an expected behavior, there was an interesting twist. There were multiple companies (with different names) hosting .pw spammers using the same physical address in Nevada.  Examining messages found in the Global Intelligence Network, Symantec...
  • 0
    Updated: Sammy Chu 02 May 2013 19:57:37 GMT

    The Hexadecimal URL Obfuscation Resurgence

    For that past several days, Symantec has observed an increase in spam messages containing hexadecimal obfuscated URLs. Hexadecimal character codes are simply the hexadecimal number to letter representation for the ASCII character set. To a computer, hexadecimal is just one out of the many systems for address expressions on the Internet. The following samples are different hexadecimal representations for http://www.symantec.com. Hexadecimal only: http://www. symantec.co&#x006d Hexadecimal and ASCII characters:    (“http” and “com” are in ASCII characters and the...
  • 0
    Updated: Ashish Diwakar 02 May 2013 19:57:41 GMT

    Fraudsters Continue to Show Interest in Football

    Contributor: Avhdoot Patil Phishers have recently gained a lot of interest in football. Various phishing attacks using football were observed in 2012. Phishers have already shown their interest in the 2014 FIFA World Cup, football celebrities, and football clubs. Scam for LIONEL MESSI Fans and Scam for FC Barcelona are good examples of phishers using football celebrities and football clubs. Fraudsters understand that choosing celebrities with a huge fan base offers the largest amount of targets which could increase their chances of harvesting user credentials. In April 2013, the trend continued with phishers using the same strategy. The phishing sites were in French on a free web hosting site. The phishing sites prompted users to enter their Facebook login credentials on pages designed to...
  • 0
    Updated: Eric Park 02 May 2013 19:57:44 GMT

    Rise of .pw URLs in Spam Messages

    Symantec has observed an increase in spam messages containing .pw top-level domain (TLD) URLs.  While it was originally a country code top-level domain for Palau, it is now available to the general public through Directi, who branded it as “Professional Web”.   Figure 1. .pw TLD URL spam message increase   Looking back at the last 90 days, .pw ranked #16 on our TLD distribution list:   Figure 2. TLD distribution list - last 90 days   However, the .pw URL jumps to the fourth spot when looking at the last 7 days:...
  • 0
    Updated: Mathew Maniyara 02 May 2013 19:57:48 GMT

    Phishers Campaign for More Votes Against Syrian Regime

    Contributor: Avdhoot Patil Phishers are not letting go of the chaos in Syria. They are using a common phishing template and modifying the messages. In March, phishers mimicked the same website of an organization in the Arab Gulf States observed in a previous phishing site. But instead of promoting the Syrian opposition, phishers impersonated the UN in a scheme meant to show support for the people of Syria. The phishing pages were in Arabic and the phishing site was hosted on servers based in Dallas, Texas, in the United States. Just recently, phishers have tried to entice users by condemning the Syrian regime. Now, they are citing the Syrian President, Bashar al-Assad, in particular. The phishing site we observed contained a message in Arabic that asked users if they agreed with condemnation of the Syrian President as a war criminal. The message gave options...