Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts tagged with Online Fraud
Showing posts in English
Candid Wueest | 14 Mar 2008 07:00:00 GMT | 0 comments

There are hundreds of ready-for-use phishing kits available on the Internet. At the beginning of this month, a list with more than 400 links had been circulated on mailing lists and forums. Some kits are a compilation of different sophisticated scripts that can spoof many different brands at once and sometimes even bypass two-factor authentication schemas. However, the vast majority are simply archived copies of the original Web site, modified to include a small PHP script that will send the stolen credentials to an email account.

We know that not all phishers have a Ph.D. in the art of phishing; therefore, you can sometimes find some interesting and funny pieces of code in phishing kits found on the Internet. As Easter is coming up soon, I decided to compile a top five list of the funniest Easter eggs that I have seen in phishing kits lately.

In 5th place: Local image paths
Sometimes, phishers do not check if all links are converted correctly....

Chen Yu | 12 Mar 2008 07:00:00 GMT | 0 comments

My colleague, Takashi Katsuki, posted a blog that describes how Trojan.Farfli provides a service to affiliates, which allows them to increase the number of hits for an affiliate’s tracker. Recently I came across another Trojan, which provides such a service: Trojan.Trafbrush.

When Trojan.Trafbrush is executed, it drops several components and registers a browser helper object (BHO). It then downloads two configuration files from One of the files is config.ini, which contains display options of a...

Liam O Murchu | 05 Mar 2008 05:07:51 GMT | 0 comments

We have previously discussed Trojan.Bayrob without describing theentire attack from end to end. This article will show how the entirescam works from initial contact right through to the actual sale.Security experts at eBay are already well aware of it and working toprotect their customers.

Tip: It should be noted from the outset thatpotential buyers should read safety tips and follow preventativemeasures provided by their service provider.

To start with, take a look at this video for a walk-through of our analysis:

In order to attract potential victims the scammers first list carsfor sale on various auction sites. These auctions are not scams per se,but they are "legit" auctions that are used solely to attract potentialvictims—whoever asks a question or bids on these auctions becomes apotential victim. Once these auctions have expired the scammers get towork emailing each potential victim. These emails explain that thewinner of the original...

Silas Barnes | 03 Mar 2008 08:00:00 GMT | 0 comments

While there are various ways for attackers to trick users intodisclosing their authentication credentials, phishing remains one ofthe most popular. Our spam traps caught a series of emails purportingto be from a disgruntled eBay user demanding an answer regarding arecent transaction. The emails contain a number of hyperlinks to theproduct in question which, when clicked, results in a browser-based FTPtransaction to a remote host which displays a carbon copy of thelegitimate eBay login page.

What caught my attention was the inclusion of one of eBay's securitytips within the fraudulent copy, instructing users to "Check that theWeb address in your browser starts with". Oneonly needs to follow this advice to see that the page they are on isindeed suspicious:


Marvin Fabuli | 27 Feb 2008 08:00:00 GMT | 0 comments

We are currently in the process of compiling the upcoming Symantec Internet Security Threat Report. I am putting together the phishing sections for the Asia-Pacific and Europe, Africa, and Middle East ISTRs. One of the things that we've noticed is that there are several instances of very small countries hosting high numbers of phishing Web sites. Obviously this raised the question of why this would be.

After we'd gone through related data—bot-infected computers, spam zombies, phishing hosts, etc.—we couldn't come up with any data that would explain this emerging phenomenon. We asked ourselves what in the political-economic profiles of these small nations would make them attractive for, or susceptible to, phishing Web sites, when one of our analysts pointed out that they are often used to host online gambling sites. In part, this is because gambling sites that use real money (as opposed to free poker sites, for instance) are illegal in the United...

Andrea DelMiglio | 22 Feb 2008 08:00:00 GMT | 0 comments

Earlier this afternoon in Italy hundreds ofthousands of people received an email from a “friend” stating(approximately) the following:

You’re under investigation! Hide everything and be quick!!!Your name appeared this morning together with 150 more persons on thewebsite of CAFF in Rome. Check it by yourself, you’re on January’slist: the website is the following:

The email is relatively convincing and Symantec believes many users have actually visited the Web site:

The Web site look and feel is very similar to other Italiangovernment Web sites and also the choice of the name—Comando...

Nishant Doshi | 21 Feb 2008 08:00:00 GMT | 0 comments

How many of us click on the links sent tous by trusted friends? Does the trust implicitly extend to the linksthey are sending? This trust is precisely what phishers take advantageof. Traditionally phishers have mainly used instant messaging (IM) andemail to take advantage of the average user. However, with the rise insocial networking sites the phishers have bought themselves a brand newplaying field.

Symantec has recently observed millions of user profiles of acertain social networking site carrying malicious links. Here is anexample of one of them:


The interesting thing here is that the malicious link appears to bea comment from a trusted friend. In most cases the trusted friend isnot the perpetrator behind these attacks. The most likely scenario isthat the trusted friend’s social networking site credentials have beencompromised and...

Candid Wueest | 15 Feb 2008 08:00:00 GMT | 0 comments

It is surely of no surprise, especially toregular readers of our Weblog, that not only banks are targeted byphishing attacks, but nearly anything that can be scammed. We alreadycommented on the rise in attacks targeting virtual worlds andespecially massively multiplayer online role-playing games (MMORPGs) inearlier posts. The growing market for virtual currency and playeraccounts does attract new scammers. It’s the nature of things that ifsomething becomes popular to use, it will also become popular toattack.

There was no exclamation of surprise then (a.k.a. Wow!) when I sawthe latest phishing email for World of Warcraft. In general, itattempted to get a reaction from me by telling me that my account wastemorarly suspended and that I need to log in to verify my details.Well actually, I would rather not log in to unlock my account but hey,it’s their story, not mine.


Silas Barnes | 25 Jan 2008 08:00:00 GMT | 0 comments

We all know that there is a certain amountof risk we have to accept when we place personal information on a Website, including the possibility that someone may use that informationwithout our explicit permission. We also know that social networkingsites are becoming increasingly popular as more and more people enjoythe convenience with which to re-establish and maintain contact withlong lost friends, distant relatives, and work colleagues. Well, now itseems as though you don't even have to go to the trouble of signing upfor a profile with one social networking site or even provide content -they can do it for you!

Douglas Rushkoff, an author and documentarian from the UnitedStates, was momentarily confused when he started receiving a suddenburst of NDR (non-delivery report) emails informing him that a numberof emails he had previously sent could not be delivered - particularlywhen he did not remember sending any such emails. And these particularemails all appeared to...

Andrea DelMiglio | 10 Jan 2008 08:00:00 GMT | 0 comments

The "referer" [sic] header is generallyused to track back-links in order to understand how a certain Web siteis being reached by its visitors (hyperlinks on other Web sites, searchengines, etc.) According to the RFC2616,“...the Referer request-header field allows the client to specify, forthe server's benefit, the address (URI) of the resource from which theRequest-URI was obtained (the "referrer", although the header field ismisspelled).”

In the online fraud arena, the referrer field can also be used todetect new phishing Web sites. Let’s use as an example the followingphishing site (which also happens to be a Rock Phish attack):