Video Screencast Help
Search Video Help Close Back
to help

Security Response

Showing posts tagged with Message Filter
Showing posts in English
Chinese Phish Tastes Bitter With Prizes
Mathew Maniyara | 30 Nov 2011 18:07:31 GMT | 0 comments

Co-Author: Avdhoot Patil

Symantec is familiar with baits commonly used in Chinese phishing sites. A grand prize, for instance, is often used as phishing bait. This November, 2011, phishers continue with the same strategy by including a brand new iPad 2 for a prize. The phishing sites were hosted on a free webhosting site.

The phishing page spoofs the Chinese version of a social networking gaming application. What is most interesting about the phishing page is that it displays a warning for an incorrect password (in red) even before any user credentials are entered. The phishing site announces to users that all fields are required to be filled before proceeding to the lucky draw. Users are prompted to enter their email address, password, email password, and birth date. The phishing site then states the winning email addresses will be drawn and winners would receive an iPad 2 and...

Read more
Evolution of Russian Phone Number Spam
Emily Liu | 28 Nov 2011 19:27:40 GMT | 0 comments

Article contributed by Emily Liu, Symantec Security Response Technician

Most of the Russian spam emails we usually encounter are about online advertising, product promotion, and training workshops. These spam emails typically are sent out unsolicited from free or hijacked personal email accounts, without opt-out, and have randomized subjects to avoid being caught in spam filters. Despite the use of random subjects, we continue to observe spammers who like to list phone numbers in the email as the only available means of contact instead of direct URL links.

Here is an example of a recent Russian event promotion spam:

Here is the English translation:

Figure 1. Russian-language spam promotion...

Read more
Beware of Your Holiday Travel E-Ticket Confirmation
Sammy Chu | 22 Nov 2011 00:17:22 GMT | 0 comments

How does Symantec know it's the week of Thanksgiving? Because as the busiest travel day of the year day quickly approaches, the day just before Thanksgiving , there is a surge in fake email ticket confirmations that lead to viruses.

Here is what a fake airline message looks like:

If you inspect the HTML coding for this message carefully, you will notice a malicious link in the anchor tag:

This link redirects to a known malware-hosting site in Russia which previously hosted Trojan.Maljava. Trojan.Maljava is a detection name used by Symantec to identify malicious Java files that...

Read more
Fake Social Networking Application Promotes Maldives
Mathew Maniyara | 12 Nov 2011 00:21:01 GMT | 0 comments

Co-Author: Avdhoot Patil

When phishing through social media, fake applications are a key technique used by phishers to introduce new kinds of baits. In October, 2011, phishers launched a new fake application named "Maldivian App". The phishing site was hosted on a free webhosting domain. It should be noted the legitimate site does not provide such an application.

Phishers put in more creative thought and time than usual in designing this phishing page. The phishing site contained an image with details about the application and included a form for Web users to enter login credentials. The image presents a ribbon in the tricolors of the Maldivian flag accentuated with the logo of a social networking brand and a Maldivian flag T-shirt. A prominent description of the application boasts that, after logging in, users would receive "cool news" about the Maldives.

For those interested in learning more about Maldives, wouldn’t it be...

Read more
Malicious Gaddafi Death Spam Continues
Samir_Patil | 31 Oct 2011 19:04:30 GMT | 0 comments

Contributor: Anand Muralidharan

Recently, the death of Libyan leader Muammar Gaddafi triggered a malware attack which Symantec previously blogged about. We have observed spammers' continued delight with this news event through the sending of malicious attack and 419 spam messages.

In the spam targeting residents of Brazil, a video showing Gaddafi asking for mercy and containing disturbing images also carries malware. By clicking the link provided in the email, users actually download a malicious executable file. Symantec has identifed this threat as Trojan.Ransomlock!gen4.
 

 

The email...

Read more
Phishers Continue Celebrity Promotion with Selena Gomez and Demi Lovato
Mathew Maniyara | 25 Oct 2011 21:55:06 GMT | 0 comments

Co-author: Avdhoot Patil

Celebrity promotion has gained momentum in the world of phishing. In October 2011, we observed Indonesian rock star Ahmad Dhani was being used as phishing bait and phishers continue their stream of celebrity bait with popular singers Selena Gomez and Demi Lovato. Celebrities with a large fan following are phishers’ favorites (because they believe a larger audience will mean more duped users).

In today's example, phishers created phishing sites that spoofed the login pages of a popular information services website. The phishing pages contained a picture of the singer and the page altered to give the impression that users could gain access to additional content about the celebrity after entering their own login credentials. It should be noted good websites will never alter the format of their login page for celebrity promotions. After the...

Read more
Libyan Leader Muammar Gadhafi's Death Spam
Stephen Doherty | 24 Oct 2011 02:05:39 GMT | 0 comments

Threat Analysis: Alan Neville

As word spreads of the death of Muammar Gadhafi, cybercriminals are starting to take advantage. We are already seeing spam campaigns related to his death with malicious attachments. Here are a couple of examples of what we have seen so far.

This particular campaign claims that Muammar Gadahfi’s death may not be true. The attachment is a malicious help file that contains Backdoor.Misdat as the payload.

Another example follows, but the attachment was corrupt. Thus, an unsuspecting user would not, in fact, have infected their computer if they had attempted to open the attached archive.

We expect to see many more of these emails over the next few days, typically with...

Read more
Phishers Promote Indonesian Rock Star
Mathew Maniyara | 19 Oct 2011 00:10:04 GMT | 0 comments

Thanks to the co-author of this blog, Avdhoot Patil.

In the month of January 2011 Symantec reported adult scams that targeted Indonesian Facebook users. These scams claimed to have an application in which users could view adult videos of Indonesian celebrities, taken from hidden cameras.

It seems that phishers are now using specific celebrities as bait for their phishing sites. This is unlike the previous Indonesian adult scams whose phishing pages gave the impression that the adult video would be of a random celebrity. In October 2011 phishers continued their adult scams on Facebook, but this time they chose the Indonesian rock star Ahmad Dhani in particular. Dhani is the frontman of the rock bands “Dewa 19” and “Ahmad Band”. The phishing site contained a photograph of Ahmad Dhani and Indonesian singer Dewi Persik. The Indonesian caption of...

Read more
Spammers Pay Tribute to Icons with Atrocious Malware
Samir_Patil | 12 Oct 2011 01:07:37 GMT | 0 comments

Contributor: Christopher Mendes

When stalwarts pass away the world mourns their loss, tributes flow and emotions run high. Whenever we lose a legendary figure, their death brings shock or grief and people are hungry for any and every available piece of information about the "How" and the "Why" and the "When" related to the death of these important figures. We studied the aftermath of these icons’ passing and the eulogy written by spammers. The spammer’s sole motive is to use incidents to compromise weak systems.

On further examination of the collected data we traced a predictable pattern, the details of which are given below:

Michael Jackson Subject: Michael Jackson not dead
Subject: Michael Jackson seen alive
Subject: Michael Jackson lives		 ...
Read more
Blackhole Exploit Targeting Steve’s Death
Samir_Patil | 07 Oct 2011 19:02:10 GMT | 0 comments

Contributor: Anand Muralidharan

The sad news making the rounds these days is the death of Steve Jobs, Apple Co-founder and former CEO. His death has been a terrible loss to both Apple and Apple fans everywhere.

Spammers are capitalizing on this incident by sending malicious links related to the news of Steve Jobs’ death. Below is a screenshot of one such spam email containing a malicious link:

More malicious links found relating to death spam are:

http://[removed]com/pink.html
http://720[removed].info/habit.html
http://ebuy[removed].com/kids.html
http://[removed].com/grain.html

All these websites contain obfuscated code leading to a BlackHole exploit. Most of the domains are recently registered, however a few of the older domains look quite legitimate and seem to be hijacked.

Below are the Subject lines which have been...

Read more