Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.
Security Response
Showing posts tagged with Spam
Showing posts in English
Mathew Maniyara | 07 Mar 2013 00:51:04 GMT

Contributor: Avdhoot Patil

Phishers have already made their mark in Southeast Asia by targeting Indonesians. For the past couple of years, celebrities have been their key interest in the region. Aura Kasih and Ahmad Dhani are good examples. In March 2013, phishers turned their attention toward Myanmar by incorporating model and actress Wut Hmone Shwe Yee in a phishing site.

The phishing site spoofed a popular social networking site in order to ask for user login credentials. The phishing page was in Burmese. The background image contained a photograph of Yee from her recent modeling photo shoot. The phishing site stated that users can learn more about the model after logging into the social networking site. Phishers even...

Symantec Security Response | 01 Mar 2013 09:53:26 GMT

Over the last few years, many reports, white papers, and blogs have been released detailing targeted attacks. For example, some attacks employ sophisticated infection methods, such as watering hole attacks, and some rely on exploit code hidden in document files mixed with social engineering schemes. Some time ago, when the malware world was still dominated by mass-mailing worms that used fake emails as the infection method, one of the schemes was a fraudulent license renewal notification from well-known antivirus vendors.

Some may think that this scheme had become extinct but we saw evidence recently that it is still alive and kicking when an email was sent to an electric power company and a major industrial company in Japan.

Figure 1. Fake antivirus email with a Zip file attached

...

Evan liu | 27 Feb 2013 05:20:56 GMT

Major events and holidays have always been a time for celebrations. Unfortunately, it also attracts unscrupulous spammers searching to make a quick offer. Symantec observes that spam email usually spikes in conjunction with these holidays.

One such occasion is Defender of the Fatherland Day observed on February 23, which is a Russian holiday in countries of the former Soviet Union, such as Belarus and Tajikistan. Aside from parades and processions in honor of veterans, it is also customary for women to give small presents to men in their lives, such as fathers, husbands, and co-workers. Consequently, the holiday is often referred to as Men's Day.

As such, most spam emails revolve around souvenirs, small gifts, and even men’s medicine such as Viagra. Below is an example of some of these emails:

Subject: Волшебные подарки на 23 февраля
Translation: Magical gifts for February 23

...

Anand Muralidharan | 25 Feb 2013 20:01:22 GMT

February is a short month, but not too short for spam events to make an impact. Valentine's Day and its associated threats has passed, so now it is time for International Women's Day—celebrated on March 8 every year. This is a great occasion to express love, respect, and kindness toward women and spammers will always attempt to take advantage of these events. The following is a spam campaign we have observed targeting International Women’s Day with a fake product promotion.

Often, spam originating from Russia will attack targets using online marketing promotions with odd phone numbers. Here, spammers targeted users by providing fake offers for great gifts for Valentine’s and International Women’s Day and also some peculiar phone numbers are provided for ordering a gift certificate.

The following is an example of the Russian spam observed by...

Joji Hamada | 21 Feb 2013 16:57:15 GMT

The report, APT1: Exposing One of China's Cyber Espionage Units, published by Mandiant earlier this week has drawn worldwide attention by both the security world and the general public. This interest is due to the conclusion the report has drawn regarding the origin of targeted attacks, using advanced persistent threats (APT), performed by a certain group of attackers dubbed the Comment Crew. You can read Symantec’s response to the report here.

Today, Symantec has discovered someone performing targeted attacks is using the report as bait in an attempt to infect those who might be interested in reading it. The email we have come across is in Japanese, but this does not mean there are no emails in other languages spreading in the wild. The...

Anand Muralidharan | 08 Feb 2013 15:59:49 GMT

Most people are eagerly waiting for Valentine's Day. The day is an opportunity to spread affection and excitement amongst loved ones by exchanging gifts. Last year we observed prominent spam attacks using Valentine’s Day as bait. Messages promoted unbelievably discounted jewelry, dinning opportunities, and expensive gifts.

This year, various Valentine’s Day spam messages have started flowing through Symantec’s Probe Network. The top word combinations used in spam messages include the following:

  • Find-Your-Valentine
  • eCards-for-Valentine
  • Valentine’s-Day-Flowers

The e-card spam message, shown in Figure 1, arrives with a malicious attachment called ValentineCard4you.zip. After opening the attachment, malware is downloaded on to the user's computer. Symantec detects the attachment as...

Mayur Kulkarni | 08 Feb 2013 15:50:31 GMT

Phishers love to arouse curiosity and/or fear in the user’s mind and this stimulus can compel people to set aside all caution as well as  any safety measures they might have in place to avoid such scams.

In a recent spam sample seen in our probe network, we observed that by taking advantage of human curiosity, users can easily be duped into disclosing sensitive information to unknown persons. In order to ensure awareness of this campaign, and others like it, we will discuss this phishing scam in more detail.

In a slight variation to the telegraphic transfer spam attack seen in the past, we see that the message has a HTML attachment, instead of an archived executable file. As shown in Figure 1, users are advised to confirm a pending transaction with their bank and also told that there is a copy of a bank slip attached.

Figure 1. ...

Mathew Maniyara | 04 Feb 2013 18:27:27 GMT

Contributor: Avdhoot Patil

Recently, cybercriminals have been focusing on the conflict in Syria to incorporate current events in their cyber warfare. In December 2012, phishers mimicked the website of a well-known organization in the gulf with the motive of stealing a user's email login credentials. The phishing site asked users to support the Syrian opposition by casting their vote against the Syrian regime. The phishing pages were in Arabic and the phishing site was hosted on servers based in Dallas, Texas, United States.

The phishing site asked users if they wanted to criminalize the Syrian regime for the murder of innocent people. As seen in the image below, options were provided to agree or disagree. If the agree option was selected, the phishing site prompted users to select their email service provider, from a list of four popular providers, and then login in order to cast their vote.
 

...

Shunichi Imano | 29 Jan 2013 22:10:05 GMT

Symantec Security Response is aware that fake FedEx emails have been circulating recently. The emails claim the user must print out a receipt by clicking on a link and then physically go to the nearest FedEx office to receive their parcel. Obviously the parcel does not exist and those who click on the link will be greeted by a PostalReceipt.zip file containing malicious PostalReceipt.exe executable file. Instead of receiving a parcel, which the user did not order in the first place, Trojan.Smoaler is delivered to the computer.

All the fake FedEx emails delivering this malware are almost identical except for the order numbers and the website the zip file is hosted on. One sign of laziness, or perhaps an oversight on the part of the malware author, is an consistent order date. The author does change the domain where Trojan.Smoaler is hosted daily. The following emails were spammed out...

Anand Muralidharan | 29 Jan 2013 13:00:20 GMT

Symantec Security Response has observed that spammers are distributing malicious emails that attempt to lure users into viewing a video of the incident that killed 233 people recently in a horrific tragedy at a popular nightclub in Santa Maria, Brazil. The malicious email is in Portuguese and invites unsuspecting users to click on a link to watch a video of the tragedy. The link provided in the email downloads a zip file containing a malicious control panel file as well an executable file. Symantec detects this threat as Trojan Horse.

Further analysis of the malicious file shows that the threat creates the following file:

%SystemDrive%\ProgramData\ift.txt

It also alters the registry entries for Internet Explorer.

The threat then downloads an IE configuration file from a recently registered domain. Trojan Horse is usually a backdoor Trojan, downloader, or an...